Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.8
Fonoster: attackers can read sensitive files
CVE-2024-43035
GHSA-9fv2-c7v6-p45w
GHSA-9fv2-c7v6-p45w
Summary
A vulnerability in Fonoster's VoiceServer endpoint allows an attacker to access and read any file on the server by manipulating the endpoint URL. This means sensitive data stored on the server could be accessed and potentially used maliciously. Fonester users should update to version 0.6.1 or later to fix this issue.
What to do
- Update fonoster voice to version 0.6.1.
- Update fonoster @fonoster/voice to version 0.6.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| fonoster | voice | > 0.5.5 , <= 0.6.1 | 0.6.1 |
| fonoster | @fonoster/voice | > 0.5.5 , <= 0.6.1 | 0.6.1 |
Original title
Fonoster is vulnerable to directory traversal
Original description
Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. NOTE: serveFiles exists in 0.5.5 but not in the next release, 0.6.1.
nvd CVSS3.1
5.8
Vulnerability type
CWE-24
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026