Git Product home page Git Product logo

voice-google-speechtotext-js's Introduction

Nexmo + Google Cloud Speech Transcription Demo

Deploy

You can use this code as a base for doing real time transcription of a phone call using Google Speech to Text API.

An audio stream is sent via websocket connection to your server and then relayed to the Google streaming interface. Speech recognition is performed and the text returned to the console.

Google Speech to Text API

You will need to set up a Google Cloud project and service account. Once these steps are completed, you will have a downloaded JSON file to set up the rest of the project. You will need this file prior to using the Deploy to Heroku button. If you plan on running this locally, make sure this file is saved in the project folder.

Running the App

Running on Heroku

In order to run this on Heroku, you will need to gather the following information:

  1. API_KEY - This is the API key from your Nexmo Account.
  2. API_SECRET - This is the API secret from your Nexmo Account.
  3. GOOGLE_CLIENT_EMAIL - You can find this in the google_creds.json file as client_email
  4. GOOGLE_PRIVATE_KEY - You can find this in the google_creds.json file as private_key.
  5. Be sure to select everything as -----BEGIN PRIVATE KEY-----\nXXXXXXXXX\n-----END PRIVATE KEY-----\n

This will create a new Nexmo application and phone number to begin testing with. View the logs to see the transcription response from the service. You can do this in the Heroku dashboard, or with the Heroku CLI using heroku logs -t.

Linking the app to Nexmo

You will need to create a new Nexmo application in order to work with this app:

Create a Nexmo Application Using the Command Line Interface

Install the CLI by following these instructions. Then create a new Nexmo application that also sets up your answer_url and event_url for the app running locally on your machine.

nexmo app:create google-speech-to-text http://<your_hostname>/ncco http://<your_hostname>/event

This will return an application ID. Make a note of it.

Buy a New Virtual Number

If you don't have a number already in place, you will need to buy one. This can also be achieved using the CLI by running this command:

nexmo number:buy

Link the Virtual Number to the Application

Finally, link your new number to the application you created by running:

nexmo link:app YOUR_NUMBER YOUR_APPLICATION_ID

Local Install

To run this on your machine you'll need an up-to-date version of Node.

Start by installing the dependencies with:

npm install

Then copy the example.env file to a new file called .env:

cp .env.example > .env

Edit the .env file to add in your application ID and the location of the credentials file from Google.

GOOGLE_APPLICATION_CREDENTIALS=./google_creds.json
APP_ID="12345678-aaaa-bbbb-4321-1234567890ab"
LANG_CODE="en-US"

Tools like ngrok are great for exposing ports on your local machine to the internet. If you haven't done this before, check out this guide.

If you aren't going to be working in the en-US language then you can change the language to any of the other supported languages listed in the Google Speech to Text API documentation.

Using Docker

To run the app using Docker run the following command in your terminal:

docker-compose up

This will create a new image with all the dependencies and run it at http://localhost:3000.

voice-google-speechtotext-js's People

Contributors

aaronbassett avatar hppranaav avatar html5cat avatar kellyjandrews avatar sammachin avatar tbass134 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hamik112 html5cat malinamircescu sumitbhavra rajabanerjee1 sammachin safecab hosamamin96 andradaioanabogoi sheltertechsf arumugaguru divsinghal alejandroluperon weismannweb noobx7

voice-google-speechtotext-js's Issues

express-4.18.2.tgz: 1 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - express-4.18.2.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/package.json

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (express version) Remediation Possible**
CVE-2024-29041 Medium 6.1 express-4.18.2.tgz Direct 4.19.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-29041

Vulnerable Library - express-4.18.2.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express/package.json

Dependency Hierarchy:

  • express-4.18.2.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Publish Date: 2024-03-25

URL: CVE-2024-29041

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rv95-896h-c2vc

Release Date: 2024-03-25

Fix Resolution: 4.19.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

PLEASE HELP! Audio Data streamed too slow Google Speech API

ERROR:
Error: 11 OUT_OF_RANGE: Audio data is being streamed too slow. Please stream audio data approximately at real time.
at createStatusError (D:\nodejs\socket-nexmo\node_modules\grpc\src\client.js:64:15)
at ClientDuplexStream._emitStatusIfDone
(D:\nodejs\socket-nexmo\node_modules\grpc\src\client.js:270:19)
at ClientDuplexStream._receiveStatus (D:\nodejs\socket-nexmo\node_modules\grpc\src\client.js:248:8)
at D:\nodejs\socket-nexmo\node_modules\grpc\src\client.js:804:12
code: 11,
metadata: Metadata { _internal_repr: { 'content-disposition': [Array] } },
details: 'Audio data is being streamed too slow. Please stream audio data approximately at real time.' }

CODE:
var WebSocketServer = require('websocket').server;
var http = require('http');
var HttpDispatcher = require('httpdispatcher');
var dispatcher = new HttpDispatcher();
const fs = require('fs');

const speech = require('@google-cloud/speech');
const client = new speech.SpeechClient({
keyFilename: XXXXXXXXXX
});

// Speech Recognition Initialization
const encoding = 'LINEAR16';
const sampleRateHertz = 16000;
const languageCode = 'en-US';
const single_utterance = true;
const request = {
config: {
encoding: encoding,
sampleRateHertz: sampleRateHertz,
languageCode: languageCode
},
singleUtterance: true,
interimResults: true // If you want interim results, set this to true
};

const recognizeStream = client
.streamingRecognize(request)
.on('error', console.error)
.on('data', data => {
db.get('posts')
.push(data)
.write();
});

function handleRequest(request, response) {
try {
//log the request on console
console.log(request.url);
//Dispatch
dispatcher.dispatch(request, response);
} catch (err) {
console.log(err);
}
}

// Serve the ncco
dispatcher.onGet("/ncco", function (req, res) {
fs.readFile('./ncco.json', function (error, data) {
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(data, 'utf-8');
});
});

//Create a Websocket server
var server = http.createServer(handleRequest);

var wsServer = new WebSocketServer({
httpServer: server,
autoAcceptConnections: true,

});

// Websockets Server Connection Configuration
wsServer.on('connect', (connection)=>{
connection.on('message', (message) => {
//Send to Google Speech API by passing into recognizeStream
if (message.type === 'utf8') { console.log(message.utf8Data); }
if (message.type === 'binary') {
recognizeStream.write(message.binaryData);
}
});
connection.on('close',(reasonCode, description) => {
console.log((new Date()) + ' Peer ' + connection.remoteAddress + ' disconnected.');
});
});

//Lets start our server
server.listen(5050, function () {
//Callback triggered when server is successfully listening. Hurray!
console.log("Server listening on: http://localhost:%s", 5050);
});

nexmo-2.9.1.tgz: 6 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - nexmo-2.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nexmo version) Remediation Possible**
CVE-2023-26136 Critical 9.8 tough-cookie-2.5.0.tgz Transitive N/A*
CVE-2022-23539 High 8.1 jsonwebtoken-8.5.1.tgz Transitive N/A*
CVE-2022-23540 High 7.6 jsonwebtoken-8.5.1.tgz Transitive N/A*
CVE-2022-25883 High 7.5 semver-5.7.1.tgz Transitive N/A*
CVE-2022-23541 Medium 6.3 jsonwebtoken-8.5.1.tgz Transitive N/A*
CVE-2023-28155 Medium 6.1 request-2.88.2.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • nexmo-2.9.1.tgz (Root Library)
    • request-2.88.2.tgz
      • tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.9.1.tgz (Root Library)
    • jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.9.1.tgz (Root Library)
    • jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json

Dependency Hierarchy:

  • nexmo-2.9.1.tgz (Root Library)
    • jsonwebtoken-8.5.1.tgz
      • semver-5.7.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

  • nexmo-2.9.1.tgz (Root Library)
    • jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

  • nexmo-2.9.1.tgz (Root Library)
    • request-2.88.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Demo not working

Hi
I've cloned the repo as is, set up everything according to the README but... it doesn't work.
First, line 161, I've got an exception "ReferenceError: request is not defined" after I enter the number of the language in the phone call.
After that, if I comment this line, I don't have the audio stream in run-time. I just have the recording downloaded at the end. Where is it supposed to conect to the nexmo websocket voice api?

DeprecationWarning: grpc.load

Getting error "DeprecationWarning: grpc.load: Use the @grpc/proto-loader module with grpc.loadPackageDefinition instead" when starting the node application.

speech-2.3.1.tgz: 11 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - speech-2.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (speech version) Remediation Possible**
CVE-2023-36665 Critical 9.8 protobufjs-6.11.3.tgz Transitive 3.0.0
CVE-2020-7768 Critical 9.8 grpc-js-0.3.6.tgz Transitive 3.0.0
CVE-2022-25883 High 7.5 detected in multiple dependencies Transitive 4.0.0
CVE-2022-25878 High 7.5 protobufjs-5.0.3.tgz Transitive 3.0.0
CVE-2022-24772 High 7.5 node-forge-0.10.0.tgz Transitive 4.0.0
CVE-2022-24771 High 7.5 node-forge-0.10.0.tgz Transitive 4.0.0
CVE-2020-8237 High 7.5 json-bigint-0.3.1.tgz Transitive 4.0.0
WS-2022-0008 Medium 6.6 node-forge-0.10.0.tgz Transitive 4.0.0
CVE-2024-28863 Medium 6.5 tar-6.1.11.tgz Transitive N/A*
CVE-2022-0122 Medium 6.1 node-forge-0.10.0.tgz Transitive 4.0.0
CVE-2022-24773 Medium 5.3 node-forge-0.10.0.tgz Transitive 4.0.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-36665

Vulnerable Library - protobufjs-6.11.3.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.11.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/protobufjs/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • protobufjs-6.11.3.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Publish Date: 2023-07-05

URL: CVE-2023-36665

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36665

Release Date: 2023-07-05

Fix Resolution (protobufjs): 6.11.4

Direct dependency fix Resolution (@google-cloud/speech): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7768

Vulnerable Library - grpc-js-0.3.6.tgz

gRPC Library for Node - pure JS implementation

Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-0.3.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@grpc/grpc-js/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • google-gax-0.25.6.tgz
      • grpc-js-0.3.6.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

Publish Date: 2020-11-11

URL: CVE-2020-7768

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Release Date: 2020-11-11

Fix Resolution (@grpc/grpc-js): 1.1.8

Direct dependency fix Resolution (@google-cloud/speech): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25883

Vulnerable Libraries - semver-6.3.0.tgz, semver-7.3.8.tgz

semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/make-dir/node_modules/semver/package.json,/node_modules/google-gax/node_modules/semver/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • google-gax-0.25.6.tgz
      • semver-6.3.0.tgz (Vulnerable Library)

semver-7.3.8.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@mapbox/node-pre-gyp/node_modules/semver/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • google-gax-0.25.6.tgz
      • grpc-1.24.11.tgz
        • node-pre-gyp-1.0.10.tgz
          • semver-7.3.8.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 6.3.1

Direct dependency fix Resolution (@google-cloud/speech): 4.0.0

Fix Resolution (semver): 6.3.1

Direct dependency fix Resolution (@google-cloud/speech): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25878

Vulnerable Library - protobufjs-5.0.3.tgz

Protocol Buffers for JavaScript. Finally.

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-5.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/protobufjs/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • google-gax-0.25.6.tgz
      • grpc-1.24.11.tgz
        • protobufjs-5.0.3.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

Publish Date: 2022-05-27

URL: CVE-2022-25878

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25878

Release Date: 2022-05-27

Fix Resolution (protobufjs): 6.10.3

Direct dependency fix Resolution (@google-cloud/speech): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24772

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • common-0.31.1.tgz
      • google-auth-library-3.1.2.tgz
        • gtoken-2.3.3.tgz
          • google-p12-pem-1.0.5.tgz
            • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@google-cloud/speech): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24771

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • common-0.31.1.tgz
      • google-auth-library-3.1.2.tgz
        • gtoken-2.3.3.tgz
          • google-p12-pem-1.0.5.tgz
            • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@google-cloud/speech): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8237

Vulnerable Library - json-bigint-0.3.1.tgz

JSON.parse with bigints support

Library home page: https://registry.npmjs.org/json-bigint/-/json-bigint-0.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-bigint/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • common-0.31.1.tgz
      • google-auth-library-3.1.2.tgz
        • gcp-metadata-1.0.0.tgz
          • json-bigint-0.3.1.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.

Publish Date: 2020-09-18

URL: CVE-2020-8237

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/916430

Release Date: 2020-09-30

Fix Resolution (json-bigint): 1.0.0

Direct dependency fix Resolution (@google-cloud/speech): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2022-0008

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • common-0.31.1.tgz
      • google-auth-library-3.1.2.tgz
        • gtoken-2.3.3.tgz
          • google-p12-pem-1.0.5.tgz
            • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (@google-cloud/speech): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-28863

Vulnerable Library - tar-6.1.11.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • google-gax-0.25.6.tgz
      • grpc-1.24.11.tgz
        • node-pre-gyp-1.0.10.tgz
          • tar-6.1.11.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

CVE-2022-0122

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • common-0.31.1.tgz
      • google-auth-library-3.1.2.tgz
        • gtoken-2.3.3.tgz
          • google-p12-pem-1.0.5.tgz
            • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (@google-cloud/speech): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24773

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • speech-2.3.1.tgz (Root Library)
    • common-0.31.1.tgz
      • google-auth-library-3.1.2.tgz
        • gtoken-2.3.3.tgz
          • google-p12-pem-1.0.5.tgz
            • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: b261e3d7bbad3c7547b43f4a546a878331b96db6

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@google-cloud/speech): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Improve search engine

The Search only returns values if you start by entering a number.
You can't search directly for a language.

If you enter Thai, it won't return anything. Whereas if you enter 1,11 or 113, the Thai language will be displayed.

A quick workaround - I suppose - would be to list the language first, then the ID.

2018-02-08_2232

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.