Executive Summary

CVE-2026-43624 is a path traversal vulnerability in the F5-TTS software, specifically in the finetune Gradio handlers. It occurs because user-supplied project names are passed directly to os.path.join() without proper validation, allowing attackers to supply absolute paths or path traversal sequences.

This flaw enables unauthenticated attackers to create arbitrary directories and write files outside the intended base directories anywhere on the filesystem writable by the server process. For example, an attacker can use a project name like "/tmp/EVIL" to override the base directory and write attacker-controlled JSON content in arbitrary locations.

The vulnerability affects functions such as create_data_project and save_settings, which accept unsanitized project names, leading to directory creation and file writes outside the intended application boundaries. Although it does not allow direct code execution, it enables unauthorized file system modifications.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to write arbitrary files and create directories anywhere on the filesystem where the server process has write permissions.

• Attackers can bypass directory restrictions and place attacker-controlled JSON files outside the intended application directories.
• This can lead to unauthorized modification or addition of files, potentially affecting application behavior or data integrity.
• While it does not allow direct code execution, the ability to write files arbitrarily can be leveraged in further attacks or to disrupt normal operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of unexpected directories or files created outside the intended F5-TTS data or checkpoint directories, especially directories or files with attacker-controlled names such as those starting with /tmp/F5TTS_PWND or similar path traversal patterns.

On the system running the vulnerable F5-TTS version, you can look for suspicious directories or files created by the server process in locations like /tmp or other writable filesystem paths.

• Use commands like `find /tmp -name 'F5TTS_PWND*'` to locate suspicious directories or files created by exploitation attempts.
• Check for the presence of unexpected `setting.json` files outside the normal F5-TTS directories, for example: `find /tmp -name 'setting.json'`.

Additionally, monitoring logs for unusual or unauthenticated requests to the finetune Gradio handlers that include project names with absolute paths or path traversal sequences can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade F5-TTS to a version that includes the patch fixing this vulnerability. The fix was introduced in commit `2f53ded` which adds proper validation and sanitization of project names to prevent path traversal.

If upgrading immediately is not possible, restrict access to the finetune Gradio handlers to trusted users only, as the vulnerability allows unauthenticated attackers to exploit it.

Implement filesystem permissions to limit the write access of the F5-TTS server process, preventing it from writing outside intended directories.

Monitor and audit filesystem locations for suspicious files or directories created by exploitation attempts and remove them.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0