CVE-2024-43035 | THREATINT

Description

Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. NOTE: serveFiles exists in 0.5.5 but not in the next release, 0.6.1.

PUBLISHED Reserved 2024-08-05 | Published 2026-03-05 | Updated 2026-03-06 | Assigner mitre

MEDIUM: 5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Problem types

CWE-24 Path Traversal: '../filedir'

Product status

Default status

unknown

0.5.5 (semver) before 0.6.1

affected

References

github.com/...5b6a50d5e233f994e2b2cf/mods/voice/src/utils.ts

zeropath.com/blog/fonoster-voiceserver-lfi-vulnerability

cve.org (CVE-2024-43035)

nvd.nist.gov (CVE-2024-43035)

Download JSON