## Security Alert: Cleartext Transmission Vulnerability in WebSocket and Serve Configurations
A medium-severity security vulnerability has been identified, exposing the application to cleartext data transmission. Multiple project dependencies are configured to use unencrypted HTTP connections instead of HTTPS, creating a direct channel for man-in-the-middle attacks and data interception. This flaw, classified as CWE-319 with a CVSS score of 6.5, compromises the fundamental security of network communications.

The vulnerability is rooted in specific configuration files within key dependencies. The `ws` library's WebSocket server implementation (`node_modules/ws/lib/websocket-server.js`, line 97) and the `serve` utility's main build file (`node_modules/serve/build/main.js`, line 221) are both transmitting data without TLS encryption. This exposes all data flowing through these channels, making sensitive information like authentication tokens, passwords, and session data vulnerable to capture and tampering by any attacker on the network path.

The immediate security impact is severe, enabling credential theft, undetected data manipulation, and full eavesdropping on application communications. Remediation requires urgent configuration changes to enforce HTTPS for all WebSocket connections and static file serving. The presence of such a basic cryptographic oversight in production dependencies signals a critical gap in the project's security posture and dependency review process, demanding a swift patch and a broader audit of all external library configurations.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, websocket, https, nodejs
- **Credibility**: unverified
- **Published**: 2026-04-14 19:22:59
- **ID**: 64250
- **URL**: https://whisperx.ai/en/intel/64250