High severityNVD Advisory· Published Jun 1, 2018· Updated Sep 16, 2024

CVE-2016-10582

Description

closurecompiler is a Closure Compiler for node.js. closurecompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

closurecompiler downloads JRE binaries over HTTP, enabling MITM attackers to substitute malicious files and achieve remote code execution.

Vulnerability

closurecompiler for Node.js up to version 1.6.1 downloads a bundled OpenJDK JRE binary over an unencrypted HTTP connection [1][2]. The download URL is hardcoded as http://bundled-openjdk-jre.googlecode.com/files/OpenJDK-JRE-7u6_24-... .tar.gz [3]. Because no transport security is used, the binary can be tampered with during transit [2].

Exploitation

An attacker who can perform a man-in-the-middle (MITM) attack on the network between the user and the remote server can intercept the HTTP request for the JRE binary and replace it with a malicious file [1]. The attack does not require any special privileges beyond network position; the user only needs to run the npm package installation process that triggers the download.

Impact

Successful exploitation allows the attacker to achieve remote code execution (RCE) on the user's system [1][2]. The malicious binary is executed in the context of the user running the installation, potentially leading to full compromise of the development environment.

Mitigation

The issue was fixed in commit e59848f5975e5b15279c044daf9cff8ff192bae6, which changed the download URL to use HTTPS from https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/bundled-openjdk-jre/ [3]. Users should update to a patched version; the package repository was archived on June 5, 2020, so no further updates are expected. Users who cannot update should avoid using closurecompiler in network environments where MITM attacks are possible.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
closurecompilernpm	<= 1.6.1	—

Affected products

closurecompiler/closurecompilerllm-create
ghsa-coords
pkg:npm/closurecompiler
Range: <= 1.6.1
Hackerone/Riot Compiler Node Modulecpe-rescue
Range: All versions

Patches

e59848f5975e

Merge pull request #51 from Greenek/master

https://github.com/dcodeIO/ClosureCompiler.jsDaniel WirtzNov 1, 2016via ghsa

commit

1 file changed · +4 −4

scripts/configure.js+4 −4 modified

@@ -48,7 +48,7 @@ function platformPostfix() {
 }
 
 // Bundled JRE download url
-var jrePrefix = "http://bundled-openjdk-jre.googlecode.com/files/OpenJDK-JRE-7u6_24-";
+var jrePrefix = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/bundled-openjdk-jre/OpenJDK-JRE-7u6_24-";
 var jrePostfix = ".tar.gz";
 var jreUrl = jrePrefix+platformPostfix()+jrePostfix;
 
@@ -205,13 +205,13 @@ function download(downloadUrl, filename, callback, ondata) {
  * @param {function(?Error)} callback
  * @param {function(Object)=} entryCallback
  */
-function unpack(filename, callback, entryCallback) {   
+function unpack(filename, callback, entryCallback) {
     var input = fs.createReadStream(filename, { flags: 'r', encoding: null }),
         files = {},
         dir = path.dirname(filename),
         returned = false,
         to = null;
-    
+
     // Finishs the unpack if all files are done
     function maybeFinish() {
         if (to !== null) clearTimeout(to);
@@ -230,7 +230,7 @@ function unpack(filename, callback, entryCallback) {
             }
         }, 1000);
     }
-    
+
     input.pipe(zlib.createGunzip()).pipe(tar.Parse()).on("entry", function(entry) {
         if (entryCallback) entryCallback(entry);
         if (entry["type"] == 'File') {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hjgp-8ffr-hwwrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-10582ghsaADVISORY
github.com/dcodeIO/ClosureCompiler.js/commit/e59848f5975e5b15279c044daf9cff8ff192bae6ghsaWEB
nodesecurity.io/advisories/169mitrex_refsource_MISC
www.npmjs.com/advisories/169ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000