CVE-2016-10578: Downloads Resources over HTTP in unicode
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.39193%
CWE
Published
2/18/2019
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
unicode | npm | < 9.0.0 | 9.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure HTTP downloads of UnicodeData.txt. Analysis shows:
- install.js contained resolution logic that would attempt HTTP downloads when local files weren't found
- package.json's postinstall hook triggered this logic automatically
- Patches modified both the file resolution priority and removed the automatic execution
- The systemfiles array modification and postinstall removal directly correlate to mitigating the HTTP download vector While exact function names aren't visible, the install.js file resolution logic and package.json postinstall hook are the primary execution paths that would appear in a profiler during vulnerable package installation.