CVE-2016-10580 — Downloads Resources over HTTP in nodewebkit

Description

Affected versions of `nodewebkit` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `nodewebkit`. ## Recommendation No patch is currently available, and the package author has deprecated this package. The best path forward in mitigating this vulnerability is to use the [official installer](https://www.npmjs.com/nw) instead of this package, as per the package author's instructions.

How to fix CVE-2016-10580

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2016-10580 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.11.6

References (3)

ADVISORYgithub.com/advisories/GHSA-gc6c-5v9w-xmhw
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10580
WEBwww.npmjs.com/advisories/173