CVE-2016-10571
Description
bkjs-wand is imagemagick wand support for node.js and backendjs bkjs-wand versions lower than 0.3.2 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
bkjs-wand prior to 0.3.2 downloads binary resources over HTTP, enabling MITM attacks that can lead to remote code execution.
Vulnerability
bkjs-wand, an ImageMagick wand support package for Node.js and backendjs, downloads binary resources over HTTP in versions prior to 0.3.2 [1][2]. This insecure transport exposes the download to man-in-the-middle (MITM) attacks, as no encryption or integrity verification is used for the binary retrieval.
Exploitation
An attacker with network access—either on the same local network or positioned between the user and the remote server—can intercept the HTTP request for the binary resource and replace it with a malicious binary [1][2]. No authentication or user interaction beyond the normal package installation or update process is required; the attack occurs transparently during the download.
Impact
Successful exploitation allows the attacker to execute arbitrary code on the victim's system with the privileges of the user running the Node.js application that uses bkjs-wand [1][2]. This results in full remote code execution (RCE), potentially leading to data theft, system compromise, or further lateral movement.
Mitigation
Upgrade bkjs-wand to version 0.3.2 or later, which addresses the issue by using HTTPS for binary downloads [2]. No workarounds are documented for earlier versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bkjs-wandnpm | < 0.3.2 | 0.3.2 |
Affected products
3- HackerOne/bkjs-wand node modulev5Range: <0.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4wm5-q7wv-6jx3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10571ghsaADVISORY
- nodesecurity.io/advisories/220mitrex_refsource_MISC
- www.npmjs.com/advisories/220ghsaWEB
News mentions
0No linked articles in our index yet.