Downloads Resources over HTTPclosure-util
Affected versions of
closure-util insecurely download an executable over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running
To mitigate this issue:
- Install the package using npm's
- Navigate to the package directory, and open
default-config.jsonin a text editor
- Change the download URLs in the
npm iin the package directory.
publishedAdvisory publishedDec 18th, 2016
reportedInitial report by Adam BaldwinNov 30th, 2016