Downloads Resources over HTTP

2016-12-18T22:47:57
ID NODEJS:165
Type nodejs
Reporter Adam Baldwin
Modified 2018-05-08T14:27:01

Description

Overview

Affected versions of closure-util insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running closure-util.

Recommendation

To mitigate this issue: 1. Install the package using npm's --ignore-scripts flag. 2. Navigate to the package directory, and open default-config.json in a text editor 3. Change the download URLs in the compiler_url and library_url to https equivalents 4. run npm i in the package directory.