9.3

CVSS Score

Basic Information

CVE ID

CVE-2016-10661

GHSA ID

GHSA-w364-8vfv-gvf5

EPSS Score

0.66847%

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10661

CVE-2016-10661: Downloads Resources over HTTP in phantomjs-cheniu

Affected versions of phantomjs-cheniu insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running phantomjs-cheniu.

Recommendation

No patch is currently available for this vulnerability.

As this package is just a fork of Medium's phantomjs-prebuilt package, the best mitigation is currently to install the Medium version of phantomjs-prebuilt. This can be done via the following command:

npm i phantomjs-prebuilt

(GitHub Advisory)

9.3

CVSS Score

Basic Information

CVE ID

CVE-2016-10661

GHSA ID

GHSA-w364-8vfv-gvf5

EPSS Score

0.66847%

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phantomjs-cheniu	npm	<= 2.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from downloading executables over HTTP. While no explicit code is provided, npm packages like phantomjs-prebuilt (which this forks) typically implement binary downloads in an install script (install.js). The fork's continued use of HTTP (rather than HTTPS) in this download mechanism matches the described vulnerability pattern. The high confidence comes from the standard implementation patterns in similar packages and the explicit MITM attack vector described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `p**ntomjs-***niu` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**l* wit

Reasoning

T** vuln*r**ility st*ms *rom *ownlo**in* *x**ut**l*s ov*r *TTP. W*il* no *xpli*it *o** is provi***, `npm` p**k***s lik* `p**ntomjs-pr**uilt` (w*i** t*is *orks) typi**lly impl*m*nt *in*ry *ownlo**s in *n inst*ll s*ript (`inst*ll.js`). T** *ork's *onti

9.3

Basic Information

Concerned about an active attack path?

CVE-2016-10661: Downloads Resources over HTTP in phantomjs-cheniu

Recommendation

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI