| tiêu đề | fishaudio Bert-VITS2 <= 406b79a Path Traversal (CWE-22) |
|---|
| Mô tả | # Technical Details
A Path Traversal vulnerability exists in the `generate_config()` function in `webui_preprocess.py` of Bert-VITS2.
The application fails to sanitize the user-provided data_dir parameter before passing it to os.path.join("./data", data_dir) and os.mkdir(), allowing traversal sequences (e.g., ../../../../tmp) to escape the intended ./data directory and create arbitrary directories and write config.json files with attacker-controlled content anywhere on the host filesystem.
# Vulnerable Code
File: webui_preprocess.py
Method: generate_config()
Why: The data_dir parameter received from the Gradio WebUI is concatenated with os.path.join("./data", data_dir) without applying os.path.realpath() or path prefix validation. The resulting path is used directly in os.mkdir() and open() to write a JSON config file, enabling directory creation and file write at arbitrary locations.
# Reproduction
1. Start the Bert-VITS2 webui_preprocess.py application (Gradio default port 7860).
2. Send a crafted Gradio predict request with a traversal payload:
curl -X POST http://127.0.0.1:7860/run/predict -H "Content-Type: application/json" -d '{"data": ["../../../../tmp", 1337], "fn_index": 0}'
3. Verify the config file was written outside the intended directory:
cat /tmp/configs/config.json | grep batch_size
# Output: "batch_size": 1337
# Impact
- Arbitrary directory creation anywhere the server process has write access
- Arbitrary JSON configuration file overwrite (attacker controls batch_size and other config values)
- Application configuration poisoning leading to misbehavior or Denial of Service
- Potential for further exploitation by overwriting config files relied upon by other services |
|---|
| Nguồn | ⚠️ https://gist.github.com/YLChen-007/550cb92f3489c317ff049fc7d7ea6b99 |
|---|
| Người dùng | Eric-b (UID 96354) |
|---|
| Đệ trình | 23/04/2026 09:36 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 16/05/2026 19:37 (23 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 364383 [fishaudio Bert-VITS2 đến 8f7fbd8c4770965225d258db548da27dc8dd934c Gradio Interface webui_preprocess.py generate_config data_dir duyệt thư mục] |
|---|
| điểm | 20 |
|---|