CVE-2016-10534

Description

Affected versions of `electron-packager` configure the generated application to disable SSL certificate verification by default. This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one. This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API. ## Recommendation 1. Update to version 7.0.0 or later. 2. Delete the `electron-download` cache folder, which is by default located at `~/.electron`.

How to fix CVE-2016-10534

To remediate CVE-2016-10534, upgrade the affected package to a fixed version below.

• —upgrade to 7.0.0 or later

Is CVE-2016-10534 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.2.1, < 7.0.0

References (4)

• ADVISORYgithub.com/advisories/GHSA-q43m-ffwr-rpcc
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10534
• WEBgithub.com/electron-userland/electron-packager/issues/333
• WEBwww.npmjs.com/advisories/104