GHSA-mm7h-323r-9p4g

Suggest an improvement
Source
https://github.com/advisories/GHSA-mm7h-323r-9p4g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-mm7h-323r-9p4g/GHSA-mm7h-323r-9p4g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mm7h-323r-9p4g
Aliases
  • CVE-2016-10596
Published
2019-02-18T23:50:33Z
Modified
2023-11-08T03:58:14.835027Z
Summary
Downloads Resources over HTTP in imageoptim
Details

imageoptim is a Node.js wrapper for some images compression algorithms.

imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.

Recommendation

No fix is currently available for this vulnerability.

It is our recommendation to not install or use this module at this time.

Database specific 
{
    "cwe_ids": [
        "CWE-311"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:46:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}
References

Affected packages

npm / imageoptim

Package

Name
imageoptim
View open source insights on deps.dev
Purl
pkg:npm/imageoptim

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.5.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-mm7h-323r-9p4g/GHSA-mm7h-323r-9p4g.json"