Submeter #811175: fishaudio Bert-VITS2 <= 406b79a Path Traversal (CWE-22)informação

Títulofishaudio Bert-VITS2 <= 406b79a Path Traversal (CWE-22)
Descrição# Technical Details A Path Traversal vulnerability exists in the `generate_config()` function in `webui_preprocess.py` of Bert-VITS2. The application fails to sanitize the user-provided data_dir parameter before passing it to os.path.join("./data", data_dir) and os.mkdir(), allowing traversal sequences (e.g., ../../../../tmp) to escape the intended ./data directory and create arbitrary directories and write config.json files with attacker-controlled content anywhere on the host filesystem. # Vulnerable Code File: webui_preprocess.py Method: generate_config() Why: The data_dir parameter received from the Gradio WebUI is concatenated with os.path.join("./data", data_dir) without applying os.path.realpath() or path prefix validation. The resulting path is used directly in os.mkdir() and open() to write a JSON config file, enabling directory creation and file write at arbitrary locations. # Reproduction 1. Start the Bert-VITS2 webui_preprocess.py application (Gradio default port 7860). 2. Send a crafted Gradio predict request with a traversal payload: curl -X POST http://127.0.0.1:7860/run/predict -H "Content-Type: application/json" -d '{"data": ["../../../../tmp", 1337], "fn_index": 0}' 3. Verify the config file was written outside the intended directory: cat /tmp/configs/config.json | grep batch_size # Output: "batch_size": 1337 # Impact - Arbitrary directory creation anywhere the server process has write access - Arbitrary JSON configuration file overwrite (attacker controls batch_size and other config values) - Application configuration poisoning leading to misbehavior or Denial of Service - Potential for further exploitation by overwriting config files relied upon by other services
Fonte⚠️ https://gist.github.com/YLChen-007/550cb92f3489c317ff049fc7d7ea6b99
Utilizador
 Eric-b (UID 96354)
Submissão23/04/2026 09h36 (há 1 mês)
Moderação16/05/2026 19h37 (23 days later)
EstadoAceite
Entrada VulDB364383 [fishaudio Bert-VITS2 até 8f7fbd8c4770965225d258db548da27dc8dd934c Gradio Interface webui_preprocess.py generate_config data_dir Travessia de Diretório]
Pontos20

VoltarVisão GeralPróximo

Want to know what is going to be exploited?

We predict KEV entries!