skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
September 27, 2023

GHSL-2023-026: Cross-site scripting (XSS) in Common Voice - CVE-2023-42808

Jorge Rosillo

Coordinated Disclosure Timeline


Common Voice is vulnerable to Cross-Site Scripting (XSS).


Common Voice

Tested Version



Issue: User-controlled data used in path expression in fetchLegalDocument (GHSL-2023-026)

Common Voice is vulnerable to reflected Cross-Site Scripting given that user-controlled data flows to a path expression (path of a network request).

private setupPrivacyAndTermsRoutes() {
      async ({ params: { locale } }, response) => {
        response.send(await fetchLegalDocument('privacy_notice', locale));

setupPrivacyAndTermsRoutes takes locale and passes it to fetchLegalDocument.

export default async function fetchLegalDocument(
  name: string,
  locale: string
): Promise<string> {
  const legalLocale = localeMapping[locale] ?? locale;

  const [status, text] = await request({
    uri: `${legalLocale}/common_voice_${name}.md`,
    resolveWithFullResponse: true,
    .then((response: any) => [response.statusCode, response.body])
    .catch(response => [response.statusCode, null]);

  if (status >= 400 && status < 500) {
  } else if (status < 300) {
    textHTML = new commonmark.HtmlRenderer().render(
      new commonmark.Parser().parse(
        // There's a parseable datetime string in the legal documents, which we don't need to show
        (text as string).replace(/{:\sdatetime=".*" }/, '')
  return textHTML;

fetchLegalDocument retrieves a file including the provided locale in the path, allowing an attacker to provide ../ to traverse into another repository like ../../../jorgectf-testing/poc/main/poc.html#.

Proof of Concept

curl ''


This issue may lead to reflected Cross-Site Scripting (XSS) in the context of Common Voice’s server origin.




This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).


You can contact the GHSL team at, please include a reference to GHSL-2023-026 in any communication regarding this issue.