CVE-2019-25158: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability has been discovered in pedroetb tts-api up to version 2.1.4. The vulnerability affects the onSpeechDone function in app.js and allows for OS command injection. This vulnerability was assigned CVE-2019-25158 and was disclosed on December 19, 2023 (NVD).

The vulnerability exists in the onSpeechDone function of app.js file and allows for OS command injection through improper neutralization of special elements. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating it can be exploited remotely with no privileges required (NVD).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary OS commands on the affected system, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in version 2.2.0. The patch (29d9c25415911ea2f8b6de247cb5c4607d13d434) changes the command execution approach from 'child_process.exec' to 'child_process.spawn', removing the possibility of sending shell commands to the API. Users are strongly recommended to upgrade to version 2.2.0 or later (GitHub Patch, GitHub Release).