F5-TTS Path Traversal Vulnerability in Gradio Handlers Allowing Arbitrary File Write

A path traversal vulnerability has been identified in F5-TTS versions through 1.1.20. This vulnerability resides within the finetune Gradio handlers, where unsanitized user-supplied project names are directly passed to 'os.path.join()'. The lack of validation allows unauthenticated attackers to manipulate the resulting path, potentially escaping the intended base directory. Exploitation involves supplying absolute path arguments to create arbitrary directories and write attacker-controlled JSON content to any filesystem location writable by the server process.

Impact

Exploitation of this vulnerability allows for arbitrary directory creation and fixed-name file writing outside the intended project directories, potentially overwriting existing files.

Reproduction

The vulnerability can be reproduced by creating a Gradio application that calls the 'create_data_project' and 'save_settings' functions from the 'finetune_gradio' module. Project names can be crafted to include absolute paths, which will be accepted by the application and used to create directories and files outside the designated base directories.

Remediation

Users are advised to update to F5-TTS version 1.1.21 or later, where this vulnerability has been patched.