6.8

CVSS Score

Basic Information

CVE ID

CVE-2016-10641

GHSA ID

GHSA-c2vr-2c89-ph88

EPSS Score

0.39308%

CWE

CWE-269

Published

9/18/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10641

CVE-2016-10641: Downloads Resources over HTTP in node-bsdiff-android

Affected versions of node-bsdiff-android insecurely download resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution.

Recommendation

No patch is currently available for this vulnerability, and the package has not seen an update since 2014.

The best mitigation is currently to avoid using this package, using a different package if available.

Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised your network or those who have privileged access to your ISP, such as Nation State Actors or Rogue ISP Employees.

(GitHub Advisory)

6.8

CVSS Score

Basic Information

CVE ID

CVE-2016-10641

GHSA ID

GHSA-c2vr-2c89-ph88

EPSS Score

0.39308%

CWE

CWE-269

Published

9/18/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
node-bsdiff-android	npm	<= 0.1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information clearly identifies insecure HTTP downloads as the root cause, but does not include actual source code, commit diffs, or specific function references. While we can infer that functions handling resource downloads would be vulnerable (e.g., functions using Node.js http module methods like http.get() for fetching updates), the lack of concrete code examples or package implementation details prevents high-confidence identification of specific functions. The advisory texts describe the vulnerability in general terms without pointing to specific functions or file paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `no**-*s*i**-*n*roi*` ins**ur*ly *ownlo** r*sour**s ov*r *TTP. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, t**y **n mo*i*y or r*** su** r*sour**s *t will. W*il* t** *x**t s*v*rity o* imp**t *or * vuln*r**i

Reasoning

T** provi*** vuln*r**ility in*orm*tion *l**rly i**nti*i*s ins**ur* *TTP *ownlo**s *s t** root **us*, *ut *o*s not in*lu** **tu*l sour** *o**, *ommit *i**s, or sp**i*i* *un*tion r***r*n**s. W*il* w* **n in**r t**t *un*tions **n*lin* r*sour** *ownlo**s

6.8

Basic Information

Concerned about an active attack path?

CVE-2016-10641: Downloads Resources over HTTP in node-bsdiff-android

Recommendation

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI