Ankitects Anki Arbitrary File Write Vulnerability via Crafted Sound File References

A vulnerability exists in Ankitects Anki versions prior to 25.02.6, allowing crafted sound file references to write files to arbitrary locations on Windows and Linux. This issue arises because media file pathnames are not always relative to the media folder. The vulnerability could be exploited by passing a media file that starts with a special scheme, causing a file to be written to the filesystem.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes, potentially overwriting existing files or creating new ones in unintended locations.

Reproduction

To reproduce this vulnerability, create a sound file reference that includes a pathname not relative to the media folder. This can be done by using a special scheme that bypasses the default path restrictions. Once the file reference is crafted, it can be used in a context that triggers the file write operation, such as through the Anki application's audio playback features.

Remediation

Users are advised to update to Anki version 25.02.6 or later, where this vulnerability has been addressed.