CVE-2016-10564

Vulnerability

The apk-parser npm package before version 0.1.6 downloads binary resources (such as APK files or related artifacts) over unencrypted HTTP connections. Because the channel is not protected by TLS, any binary fetched during operation is transmitted in cleartext. An attacker with network access can intercept the download and replace the legitimate binary with a malicious one. The affected versions are all releases prior to 0.1.6. [1]

Exploitation

An attacker must be able to perform a man-in-the-middle (MITM) attack, meaning they need to be on the same network segment as the victim or positioned between the victim and the remote server hosting the binary resources. No authentication is required beyond the ability to intercept the HTTP traffic. The attacker simply waits for the victim to use apk-parser on a target that triggers a binary download, then substitutes the response payload with a crafted malicious binary. [1]

Impact

Successful exploitation allows the attacker to deliver an arbitrary binary that the host process will then parse or execute. Because the tool processes APK files (which can include executable code in the Android package format), this can lead to remote code execution (RCE) on the victim's system at the privilege level of the user running apk-parser. The attack fully compromises the integrity and confidentiality of the user's environment. [1]

Mitigation

The fix was released in version 0.1.6 of apk-parser. Users should upgrade to 0.1.6 or later, which downloads resources over HTTPS instead of HTTP. No workaround other than upgrading is documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]