Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability exists in src/api/system.py within the export_file route. The application accepts a JSON payload containing a filename and content. While the developer intended for a native UI dialog to handle the file path, the API does not validate the filename string before it is processed by the backends filesystem logic. Because the API is unauthenticated and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or allowing localhost), an external attacker can bypass the UI entirely. By using directory traversal sequences (../), an attacker can force the app to write arbitrary data to any location accessible by the current user's permissions. This vulnerability is fixed in 4.4.2.
The vulnerability is located in the src/api/system.py file, in the export_file route, which accepts a JSON payload containing a file name and its content. The application does not verify the provided file name before passing it to the file system logic. Since the endpoint does not require authentication, and the CORS configuration in app.py is overly permissive (allow_origins=["*"] or localhost), an attacker can bypass the user interface and directly invoke the API. Using path traversal sequences (../), an attacker can force the application to write arbitrary data to any location accessible to the current user's permissions.
An attacker can write arbitrary content to any location in the file system accessible to the application process, which may lead to overwriting critical system or configuration files, injection of malicious code, and takeover of system control.
Vociferous should be updated to version 4.4.2, in which the vulnerability has been patched. Additionally, it is recommended to restrict network access to the application API and to verify CORS configuration.
Vociferous in versions prior to 4.4.2 (vendor: WanderingAstronomer)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWanderingastronomer Vociferous
APPWanderingastronomer< 4.4.2