{"id":"CVE-2024-31206","summary":"Use of Unencrypted HTTP Request in dectalk-tts","details":"dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it.","aliases":["GHSA-6cf6-8hvr-r68w"],"modified":"2026-04-16T04:13:03.868709Z","published":"2024-04-04T22:10:29.200Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/31xxx/CVE-2024-31206.json","cwe_ids":["CWE-300","CWE-319","CWE-598"]},"references":[{"type":"WEB","url":"https://github.com/JstnMcBrd/dectalk-tts/blob/b3e92156cbb699218ac9b9c7d8979abd0e635767/src/index.ts#L18"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/31xxx/CVE-2024-31206.json"},{"type":"ADVISORY","url":"https://github.com/JstnMcBrd/dectalk-tts/security/advisories/GHSA-6cf6-8hvr-r68w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31206"},{"type":"REPORT","url":"https://github.com/JstnMcBrd/dectalk-tts/issues/3"},{"type":"FIX","url":"https://github.com/JstnMcBrd/dectalk-tts/commit/3600d8ac156f27da553ac4ead46d16989a350105"},{"type":"FIX","url":"https://github.com/JstnMcBrd/dectalk-tts/pull/4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jstnmcbrd/dectalk-tts","events":[{"introduced":"0"},{"fixed":"3600d8ac156f27da553ac4ead46d16989a350105"}]},{"type":"GIT","repo":"https://github.com/jstnmcbrd/dectalk-tts","events":[{"introduced":"0"},{"fixed":"3600d8ac156f27da553ac4ead46d16989a350105"}]}],"versions":["v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-31206.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}]}