GHSA-869j-r97x-hx2g
Anki's local HTTP server does not sufficiently validate requests
상세
## Summary
Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways: 1. No sufficient validation of the Origin header. 2. Some endpoints are vulnerable to path traversal attacks.
This allows malicious websites to exfiltrate local files given a known path.
## Browser impact
The severity varies by browser because of Private Network Access (PNA), a newer spec that restricts web pages from making requests to localhost/local network addresses:
Chrome/Chromium (including Edge, Brave): Largely protected, as Chrome has implemented PNA restrictions for several years and now puts local network access behind a permission prompt. Safari: Hasn't implemented PNA yet, though macOS has some OS-level protections. Firefox: Most vulnerable — hasn't implemented PNA yet, though it's reportedly planned for Firefox 151.
## Patches
The issue was fixed as of Anki 25.09.3
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.