CVE-2019-1010200
Description
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the servers. The component is: Two web servers in the projects expose three vulnerable endpoints that can be accessed remotely. The endpoints are defined at: - /tts: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/merlin_model_server/api.js#L34 - /alignment: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/festival_model_server/api.js#L28 - /tts: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/festival_model_server/api.js#L65. The attack vector is: Attacker sends a GET request to the vulnerable endpoint with a specially formatted query parameter. The fixed version is: After commit f6660e6d8f0d1d931359d591dbdec580fef36d36.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: < commit c145d4604df67e6fc625992412eef0bf9a85e26b
- Voice Builder/Voice Builderv5Range: Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 [fixed: After commit f6660e6d8f0d1d931359d591dbdec580fef36d36]
Patches
Vulnerability mechanics
Root cause
"The application does not properly sanitize user-supplied input before passing it to system commands."
Attack vector
An attacker can send a GET request to vulnerable endpoints such as `/tts` or `/alignment` with a specially formatted query parameter containing OS command injection payloads. The application then incorporates this unsanitized input into a system command, leading to remote code execution with the privileges of the server. The vulnerable endpoints are exposed by two web servers within the project [ref_id=1, ref_id=2].
Affected code
The vulnerability exists in the `api.js` files for both the merlin and festival model servers. Specifically, the `/tts` endpoint in `merlin_model_server/api.js` and the `/alignment` and `/tts` endpoints in `festival_model_server/api.js` are affected. The original code directly used query parameters in system commands without proper sanitization [ref_id=1, ref_id=2].
What the fix does
The patch introduces a new utility function `replaceCharactersWithSpaces` which sanitizes user input by replacing potentially harmful characters with spaces before it is used in system commands. This prevents the injection of arbitrary commands by ensuring that special characters are neutralized. The function is then applied to the input text in both the `/tts` and `/alignment` endpoints [ref_id=1, ref_id=2].
Preconditions
- networkThe vulnerable web servers must be accessible over the network.
- inputThe attacker must be able to craft a GET request with a specially formatted query parameter.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/google/voice-builder/commit/c145d4604df67e6fc625992412eef0bf9a85e26bmitrex_refsource_MISC
- github.com/google/voice-builder/commit/f6660e6d8f0d1d931359d591dbdec580fef36d36mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.