N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10578

GHSA ID

GHSA-qjf4-7642-c57p

EPSS Score

0.39193%

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10578

CVE-2016-10578: Downloads Resources over HTTP in unicode

Affected versions of unicode insecurely download resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution.

Recommendation

Update to version 9.0.0 or later.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10578

GHSA ID

GHSA-qjf4-7642-c57p

EPSS Score

0.39193%

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
unicode	npm	< 9.0.0	9.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure HTTP downloads of UnicodeData.txt. Analysis shows:

install.js contained resolution logic that would attempt HTTP downloads when local files weren't found
package.json's postinstall hook triggered this logic automatically
Patches modified both the file resolution priority and removed the automatic execution
The systemfiles array modification and postinstall removal directly correlate to mitigating the HTTP download vector While exact function names aren't visible, the install.js file resolution logic and package.json postinstall hook are the primary execution paths that would appear in a profiler during vulnerable package installation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `uni*o**` ins**ur*ly *ownlo** r*sour**s ov*r *TTP. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, t**y **n mo*i*y or r*** su** r*sour**s *t will. W*il* t** *x**t s*v*rity o* imp**t *or * vuln*r**ility lik* t*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* *TTP *ownlo**s o* Uni*o****t*.txt. *n*lysis s*ows: *. inst*ll.js *ont*in** r*solution lo*i* t**t woul* *tt*mpt *TTP *ownlo**s w**n lo**l *il*s w*r*n't *oun* *. p**k***.json's postinst*ll *ook tri***r** t*is lo*i*

N/A

Basic Information

Concerned about an active attack path?

CVE-2016-10578: Downloads Resources over HTTP in unicode

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI