GHSA-9fv2-c7v6-p45w

Source

https://github.com/advisories/GHSA-9fv2-c7v6-p45w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9fv2-c7v6-p45w/GHSA-9fv2-c7v6-p45w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9fv2-c7v6-p45w

Aliases

CVE-2024-43035

Published

2026-03-05T21:30:48Z

Modified

2026-03-06T23:01:28.520160Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Fonoster is vulnerable to directory traversal

Details

Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. NOTE: serveFiles exists in 0.5.5 but not in the next release, 0.6.1.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T22:46:28Z",
    "nvd_published_at": "2026-03-05T20:16:09Z"
}

References

Affected packages

npm / @fonoster/voice

Package

Name: @fonoster/voice; View open source insights on deps.dev
Purl: pkg:npm/%40fonoster/voice

Affected ranges

Type: SEMVER
Events: Introduced

0.5.5

Fixed

0.6.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9fv2-c7v6-p45w/GHSA-9fv2-c7v6-p45w.json"