Skip to content

dectalk-tts Uses Unencrypted HTTP Request

High severity GitHub Reviewed Published Apr 3, 2024 in JstnMcBrd/dectalk-tts • Updated Apr 5, 2024

Package

npm dectalk-tts (npm)

Affected versions

= 1.0.0

Patched versions

1.0.1

Description

Impact

In dectalk-tts@1.0.0, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack.

Theft

Because dectalk-tts is a text-to-speech package, user requests are expected to only contain natural language. The package README warns that user input is sent to a third-party API, so users should not send sensitive information regardless.

But if users ignore the warnings and send sensitive information anyway, that information could be stolen by attackers.

Modification

Attackers could manipulate requests to the API. However, the worst a modified request could do is return an incorrect audio file or bad request rejection.

Attackers could also manipulate responses from the API, returning malicious output to the user. Output is expected to be a wav-encoded buffer, which users will likely save to a file. This could be a dangerous entrypoint to the user's filesystem.

Patches

The network request was upgraded to HTTPS in version 1.0.1. No other changes were made, so updating is risk-free.

Workarounds

There are no workarounds, but here are some precautions:

  • Do not send any sensitive information.

  • Carefully verify the API response before saving it.

References

Vulnerable code
Original report
Patch pull request

References

@JstnMcBrd JstnMcBrd published to JstnMcBrd/dectalk-tts Apr 3, 2024
Published to the GitHub Advisory Database Apr 4, 2024
Reviewed Apr 4, 2024
Published by the National Vulnerability Database Apr 4, 2024
Last updated Apr 5, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS score

0.045%
(16th percentile)

Weaknesses

CVE ID

CVE-2024-31206

GHSA ID

GHSA-6cf6-8hvr-r68w

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.