Skip to content

Downloads Resources over HTTP in imageoptim

High severity GitHub Reviewed Published Feb 18, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm imageoptim (npm)

Affected versions

<= 0.5.0

Patched versions

None

Description

imageoptim is a Node.js wrapper for some images compression algorithms.

imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.

Recommendation

No fix is currently available for this vulnerability.

It is our recommendation to not install or use this module at this time.

References

Published to the GitHub Advisory Database Feb 18, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.175%
(55th percentile)

Weaknesses

CVE ID

CVE-2016-10596

GHSA ID

GHSA-mm7h-323r-9p4g

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.