Miggo Logo
Miggo Vulnerability Database
CVE-2019-25158

CVE-2019-25158: Pedroetb TTS-API OS Command Injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-25158
GHSA ID
GHSA-jx6q-fq9h-6g7q
EPSS Score
0.75214%
CWE
CWE-78
Published
12/19/2023
Updated
12/28/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tts-apinpm< 2.2.02.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points:

  1. processData used child_process.exec - which executes commands via the system shell - with untrusted input.
  2. Command-generation functions concatenated user inputs into shell command strings without sanitization.

Though the CVE description mentions onSpeechDone, analysis of the commit diff shows:

  • The critical fix replaced exec() with spawn() in processData
  • Command-generation functions were modified to use parameterized arguments arrays
  • onSpeechDone was a callback handler for command completion, not the execution point. The root vulnerability was in the command construction/execution pattern, not the result handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *oun* in p**ro*t* tts-*pi up to *.*.* *n* *l*ssi*i** *s *riti**l. T*is vuln*r**ility *****ts t** *un*tion onSp*****on* o* t** *il* *pp.js. T** m*nipul*tion l***s to os *omm*n* inj**tion. Up*r**in* to v*rsion *.*.* is **l* to

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *. pro**ss**t* us** **il*_pro**ss.*x** - w*i** *x**ut*s *omm*n*s vi* t** syst*m s**ll - wit* untrust** input. *. *omm*n*-**n*r*tion *un*tions *on**t*n*t** us*r inputs into s**ll *omm*n* strin*s wit*out s*n