9.3

CVSS Score

Basic Information

CVE ID

CVE-2016-10600

GHSA ID

GHSA-7xvg-m3vx-2hhv

EPSS Score

0.66847%

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10600

CVE-2016-10600: Downloads Resources over HTTP in webrtc-native

Affected versions of webrtc-native insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running webrtc-native.

Recommendation

No direct patch is currently available for this vulnerability.

However, if the native components of webrtc-native are built from source, this avoids download the precompiled binary, therefore mitigating the insecure download.

The package author has provided instructions for building from source here.

(GitHub Advisory)

9.3

CVSS Score

Basic Information

CVE ID

CVE-2016-10600

GHSA ID

GHSA-7xvg-m3vx-2hhv

EPSS Score

0.66847%

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
webrtc-native	npm	<= 1.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly involves insecure HTTP downloads of a precompiled binary during installation. While the exact function name and file path are not provided in the advisories, Node.js packages typically handle such downloads via installation scripts (e.g., postinstall hooks in package.json calling a script like install.js). The function performing the HTTP download would use insecure protocols (http://) instead of HTTPS. The confidence is high because the vulnerability's root cause (HTTP download) is unambiguous, even if the exact code location isn't explicitly documented.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `w**rt*-n*tiv*` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**l* wit* *

Reasoning

T** vuln*r**ility *xpli*itly involv*s ins**ur* *TTP *ownlo**s o* * pr**ompil** *in*ry *urin* inst*ll*tion. W*il* t** *x**t *un*tion n*m* *n* *il* p*t* *r* not provi*** in t** **visori*s, No**.js p**k***s typi**lly **n*l* su** *ownlo**s vi* inst*ll*ti

9.3

Basic Information

Concerned about an active attack path?

CVE-2016-10600: Downloads Resources over HTTP in webrtc-native

Recommendation

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI