Severity: high

Downloads Resources over HTTP



Affected versions of phantomjs-cheniu insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running phantomjs-cheniu.


No patch is currently available for this vulnerability.

As this package is just a fork of Medium's phantomjs-prebuilt package, the best mitigation is currently to install the Medium version of phantomjs-prebuilt. This can be done via the following command:

npm i phantomjs-prebuilt
Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Jan 1st, 2017
  2. reported

    Initial report by Adam Baldwin
    Dec 1st, 2016