【高危】Anki's local HTTP server does not sufficiently validate requests

安全速报 · 严重级:高危 · GHSA-869j-r97x-hx2g

漏洞概要

Summary

Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways:

1. No sufficient validation of the Origin header.
2. Some endpoints are vulnerable to path traversal attacks.

This allows malicious websites to exfiltrate local files given a known path.

Browser impact

The severity varies by browser because of Private Network Access (PNA), a newer spec that restricts web pages from making requests to localhost/local network addresses:

Chrome/Chromium (including Edge, Brave): Largely protected, as Chrome has implemented PNA restrictions for several years and now puts local network access behind a permission prompt.
Safari: Hasn't implemented PNA yet, though macOS has some OS-level protections.
Firefox: Most vulnerable — hasn't implemented PNA yet, though it's reportedly planned for Firefox 151.

Patches

The issue was fixed as of Anki 25.09.3

受影响组件

修复建议

升级 aqt 至 25.9.3 或更高版本。

参考链接

• GitHub Advisory GHSA-869j-r97x-hx2g
• https://github.com/ankitects/anki/security/advisories/GHSA-869j-r97x-hx2g
• https://x.com/taviso/status/2051310678800253318

本文基于 GitHub Advisory Database(CC-BY-4.0 授权)整理,数据来源已注明。