PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-10194 Festivaltts4r Project CVE debrief

CVE-2016-10194 is a critical command-injection flaw in the Ruby festivaltts4r gem. NVD describes remote attackers being able to execute arbitrary commands by supplying shell metacharacters in a string passed to to_speech or to_mp3 in lib/festivaltts4r/festival4r.rb. The issue is rated CVSS 9.8 (network exploitable, no privileges, no user interaction) and maps to CWE-77. Public references include oss-security posts and a GitHub issue discussing the problem and patch work.

Vendor
Festivaltts4r Project
Product
CVE-2016-10194
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-03
Original CVE updated
2026-05-13
Advisory published
2017-03-03
Advisory updated
2026-05-13

Who should care

Ruby application owners, maintainers, and security teams that depend on festivaltts4r; especially services that accept user-controlled text and pass it to to_speech or to_mp3. Any environment using the gem should treat this as an immediate review item because the weakness can lead to remote command execution.

Technical summary

NVD records the vulnerable CPE broadly as festivaltts4r_project:festivaltts4r for Ruby and assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that input reaching the gem’s speech/MP3 methods can be interpreted by a shell rather than handled as data. The supplied corpus does not identify a fixed version, only references to advisories, patch discussion, and an issue tracker entry.

Defensive priority

Critical. Treat as an urgent remediation item for any exposed or production use of festivaltts4r.

Recommended defensive actions

  • Inventory where festivaltts4r is installed or bundled and identify any code paths that call to_speech or to_mp3 with user-influenced strings.
  • Remove or replace the gem if it is no longer needed; otherwise apply the vendor/community patch referenced in the supplied advisories.
  • Review application logic for any shell invocation patterns and ensure untrusted input is never concatenated into command strings.
  • Add input validation and safe process execution patterns that avoid shell interpretation.
  • Retest affected applications after remediation and confirm the vulnerable code paths are no longer reachable.
  • Monitor for suspicious command execution activity on systems that used the gem before remediation.

Evidence notes

The debrief is based on the supplied NVD record for CVE-2016-10194, published 2017-03-03 and modified 2026-05-13. The NVD description states that shell metacharacters in strings passed to to_speech or to_mp3 can lead to arbitrary command execution. The record also lists CWE-77 and a critical CVSS 9.8 vector. Supporting references in the corpus include two oss-security mailing list posts and a GitHub issue, all tagged as patch/advisory or issue-tracking material.

Official resources

Publicly disclosed in the supplied record with CVE publishedAt 2017-03-03T15:59:00.413Z. The supporting references point to late January and early February 2017 advisories and issue-tracking discussion.