CVE-2016-1000224: Insecure Defaults Leads to Potential MITM in ezseed-transmission
4.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
9/1/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ezseed-transmission | npm | >= 0.0.10, <= 0.0.14 | 0.0.15 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the package.json
's 'install' script that triggered an HTTP
download of jq
binary via removed jq.js
. The patch removes this script entirely, indicating it was the vulnerable entry point. During runtime (npm install
), this would execute as part of npm
's lifecycle handling. The function name 'install' corresponds to npm
's standard lifecycle script naming convention visible in profilers tracking package
installation processes.