Path Traversal: '../filedir'

CVE-2024-43035

Medium

5.8/10

Summary

Fonoster 0.5.5 prior to 0.6.1 allows "../" directory traversal to read arbitrary files via the "/sounds/:file" or "/tts/:file" "VoiceServer" endpoint. This occurs in "serveFiles" in "mods/voice/src/utils.ts". NOTE: "serveFiles" exists in 0.5.5 but not in the next release, 0.6.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-24 - Path Traversal: '../filedir'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

References

Advisory

Advisory Timeline

Published Mar 05, 2026

Path Traversal: '../filedir'

CVE-2024-43035

Summary

CWE-24 - Path Traversal: '../filedir'

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS