CVE-2016-10697

Name of the Vulnerable Software and Affected Versions react-native-baidu-voice-synthesizer (affected versions not specified)

Description The issue concerns the react-native-baidu-voice-synthesizer downloading resources over HTTP, making it susceptible to Man-in-the-Middle (MITM) attacks. This could potentially lead to remote code execution (RCE) if an attacker intercepts and alters the requested resources. In scenarios where an attacker has a privileged network position, they can replace the executable with a malicious one, resulting in code execution on the system running the synthesizer.

Recommendations To mitigate the issue, avoid using the react-native-baidu-voice-synthesizer package if possible, and consider using a different package instead. As a temporary measure, reduce the risk of exploitation by avoiding the installation of this package while connected to a public network. If the package is installed on a private network, ensure that the network is secure to minimize the risk of exploitation by those who may have compromised the network or have privileged access to the ISP. At the moment, there is no information about a newer version that contains a fix for this vulnerability.