CVE-2024-31206
CWE-300Published: April 4, 2024· Updated: Jun 17, 2026
Official Description
dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `[email protected]`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it.
Technical Analysis
CVE-2024-31206 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
A successful exploit results in full integrity compromise (data manipulation), with a CVSS base score of 8.2.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (10)
Quick Facts
Related CVEs (CWE-300)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2024-31206 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts