Downloads Resources over HTTP in nw

RSS Feed HIGH

GHSA-hv96-xxx2-5v7w CVE-2016-10588

Description:

Affected versions of nw insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running nw.

Recommendation

Update to version 0.23.6-1 or later.

Affected Packages

Ecosystem	Package	Vulnerable Versions	Patched Version
npm	`nw`	`<= 0.23.6-sdk`	`0.23.6-1`

Related Dependabot Pull Requests

All Open Closed Merged

No Related Pull Requests

No Dependabot pull requests have been found that reference this security advisory.

Actions

View on GitHub All Advisories

Advisory Details

Published:	February 18, 2019 over 7 years ago
Updated:	June 18, 2026 about 21 hours ago
CVSS Score:	8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS:	0.86% 76th percentile
Source:	Github
Classification:	GENERAL
UUID:	`MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh2OTYteHh4Mi01djd3`

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Dependabot