Severity: high

Downloads Resources over HTTP



Affected versions of closure-util insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running closure-util.


To mitigate this issue:

  1. Install the package using npm's --ignore-scripts flag.
  2. Navigate to the package directory, and open default-config.json in a text editor
  3. Change the download URLs in the compiler_url and library_url to https equivalents
  4. run npm i in the package directory.
Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Dec 18th, 2016
  2. reported

    Initial report by Adam Baldwin
    Nov 30th, 2016