CVE-2016-10600
CVE-2016-10600
In short
webrtc-native downloads binary files over unencrypted HTTP instead of secure HTTPS, allowing attackers on the network to intercept and replace these files with malicious versions, potentially executing harmful code on your computer.
Technical detail
The vulnerability stems from insecure transport (CWE-311) of binary resources over HTTP without encryption or integrity verification. An attacker positioned on the network path (MITM) can intercept HTTP requests and serve malicious binaries, achieving remote code execution if the application executes the downloaded resources without validation.
Summary generated and translated by AI from the official description.
webrtc-native uses WebRTC from chromium project. webrtc-native downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Affected products
HackerOne · webrtc-native node moduleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://nodesecurity.io/advisories/176