CVE-2019-25158 — Pedroetb TTS-API OS Command Injection

Description

A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of the file app.js. The manipulation leads to os command injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as 29d9c25415911ea2f8b6de247cb5c4607d13d434. It is recommended to upgrade the affected component. VDB-248278 is the identifier assigned to this vulnerability.

How to fix CVE-2019-25158

To remediate CVE-2019-25158, upgrade the affected package to a fixed version below.

—upgrade to 2.2.0 or later

Is CVE-2019-25158 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-25158
PATCHgithub.com/pedroetb/tts-api
WEBgithub.com/pedroetb/tts-api/commit/29d9c25415911ea2f8b6de247cb5c4607d13d434
WEBgithub.com/pedroetb/tts-api/releases/tag/v2.2.0
WEB