anki 2.1.57rc1 vulnerabilities

Known vulnerabilities in the anki package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Arbitrary Code Injection Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper handling of MPV functionality in flashcards. The MPV component processes user-supplied flashcard content with insufficient sanitization, enabling crafted inputs to execute arbitrary scripts on Windows systems. An attacker can exploit this by distributing a specially crafted flashcard to a userresulting in arbitrary code execution within the user's context, potentially leading to full system compromise. How to fix Arbitrary Code Injection? Upgrade `anki` to version 24.6 or higher.	[,24.6)
L Incomplete List of Disallowed Inputs Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to a LaTeX blocklist bypass in the LaTeX processing functionality. The LaTeX module fails to enforce its blocklist properly, allowing specially crafted malicious flashcards to create arbitrary files at a fixed path. An attacker can exploit this by sharing a malicious flashcard that, when imported or rendered by Anki, creates files at predetermined locations on the user’s system, potentially enabling further unwanted actions such as remote code execution. How to fix Incomplete List of Disallowed Inputs? Upgrade `anki` to version 24.6 or higher.	[,24.6)
M Inclusion of Functionality from Untrusted Control Sphere Affected versions of this package are vulnerable to Inclusion of Functionality from Untrusted Control Sphere due to incomplete LaTeX sanitization that fails to block the `verbatim` package. The Latex handling module overlooks the `verbatim` package during sanitization, allowing specially crafted flashcards to include commands that read arbitrary files. An attacker can exploit this by sharing a malicious flashcard that when rendered, causes the application to read files on the user’s system, potentially exposing sensitive local data. How to fix Inclusion of Functionality from Untrusted Control Sphere? Upgrade `anki` to version 24.6 or higher.	[,24.6)
H Uncontrolled Search Path Element Affected versions of this package are vulnerable to Uncontrolled Search Path Element via the integration with `mpv`, an attacker can achieve arbitrary code execution by including a malicious executable within a shared deck. Note: This vulnerability is specific to Windows operating systems due to the inclusion of the current working directory in the system PATH. How to fix Uncontrolled Search Path Element? Upgrade `anki` to version 25.2.5 or higher.	[,25.2.5)

Vulnerability

Vulnerable Version

Arbitrary Code Injection

Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper handling of MPV functionality in flashcards. The MPV component processes user-supplied flashcard content with insufficient sanitization, enabling crafted inputs to execute arbitrary scripts on Windows systems. An attacker can exploit this by distributing a specially crafted flashcard to a userresulting in arbitrary code execution within the user's context, potentially leading to full system compromise.

How to fix Arbitrary Code Injection?

Upgrade anki to version 24.6 or higher.

[,24.6)

Incomplete List of Disallowed Inputs

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to a LaTeX blocklist bypass in the LaTeX processing functionality. The LaTeX module fails to enforce its blocklist properly, allowing specially crafted malicious flashcards to create arbitrary files at a fixed path. An attacker can exploit this by sharing a malicious flashcard that, when imported or rendered by Anki, creates files at predetermined locations on the user’s system, potentially enabling further unwanted actions such as remote code execution.

How to fix Incomplete List of Disallowed Inputs?

Upgrade anki to version 24.6 or higher.

[,24.6)

Inclusion of Functionality from Untrusted Control Sphere

Affected versions of this package are vulnerable to Inclusion of Functionality from Untrusted Control Sphere due to incomplete LaTeX sanitization that fails to block the verbatim package. The Latex handling module overlooks the verbatim package during sanitization, allowing specially crafted flashcards to include commands that read arbitrary files. An attacker can exploit this by sharing a malicious flashcard that when rendered, causes the application to read files on the user’s system, potentially exposing sensitive local data.

How to fix Inclusion of Functionality from Untrusted Control Sphere?

Upgrade anki to version 24.6 or higher.

[,24.6)

Uncontrolled Search Path Element

Affected versions of this package are vulnerable to Uncontrolled Search Path Element via the integration with mpv, an attacker can achieve arbitrary code execution by including a malicious executable within a shared deck.

Note: This vulnerability is specific to Windows operating systems due to the inclusion of the current working directory in the system PATH.

How to fix Uncontrolled Search Path Element?

Upgrade anki to version 25.2.5 or higher.

[,25.2.5)

anki@2.1.57rc1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?