CVE-2017-16003: windows-build-tools downloads Resources over HTTP
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71888%
CWE
Published
11/9/2018
Updated
9/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
windows-build-tools | npm | < 1.0.0 | 1.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the insecure HTTP
URL defined in the 'buildTools' object within src/constants.js
. While no explicit download function
is shown in the provided commit diff, this configuration
value is directly used to fetch the executable. The commit fixes the issue by changing the protocol to HTTPS
, confirming this configuration
as the root cause. The lack of encryption in the URL definition makes any code using this value inherently vulnerable, even if the actual download function
isn't explicitly shown in the provided snippets.