Advisories for Npm/Dectalk-Tts package

2024

dectalk-tts Uses Unencrypted HTTP Request

In dectalk-tts@1.0.0, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. Theft Because dectalk-tts is a text-to-speech package, user requests are expected to only contain natural language. The package README warns that user input is sent to a third-party API, so users …