CVE-2016-10622
CVE-2016-10622
In short
nodeschnaps downloads files over unencrypted HTTP, allowing attackers on the network to intercept and replace them with malicious versions, potentially executing harmful code on your computer.
Technical detail
nodeschnaps fetches binary resources via unencrypted HTTP without integrity verification, enabling man-in-the-middle attacks where a network-positioned attacker can substitute malicious binaries for legitimate ones, resulting in arbitrary remote code execution during installation or runtime.
Summary generated and translated by AI from the official description.
nodeschnaps is a NodeJS compatibility layer for Java (Rhino). nodeschnaps downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Affected products
HackerOne · nodeschnaps node moduleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://nodesecurity.io/advisories/212