CVE-2016-10596

描述

imageoptim is a Node.js wrapper for some images compression algorithms. imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server. ## Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time.

如何修補 CVE-2016-10596

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2016-10596 正在被利用嗎?

低 — EPSS 為 0.8%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 0.5.0

參考連結(3)

• ADVISORYgithub.com/advisories/GHSA-mm7h-323r-9p4g
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10596
• WEBwww.npmjs.com/advisories/194