CVE-2016-10583

Vulnerability

The closure-utils npm package (Utilities for Closure Library based projects) downloads binary resources over an unencrypted HTTP connection instead of HTTPS. The affected versions are all versions up to and including 2.0.0-beta.1 [2]. The binary downloads occur during the package's installation process (e.g., downloading Closure Compiler or other binaries). Because no transport layer security is used, the integrity of the downloaded binary cannot be verified.

Exploitation

An attacker in a privileged network position, such as being on the same local network or positioned between the user and the remote server, can perform a man-in-the-middle (MITM) attack. The attacker intercepts the HTTP request for the binary and replaces the response with a malicious executable. No authentication or user interaction beyond executing the package installation (e.g., running npm install closure-util) is required [1][2].

Impact

If the attacker successfully swaps the binary during the MITM attack, the system running closure-utils will execute the malicious binary. This can result in remote code execution (RCE) with the privileges of the user running the installation. The impact is high, as the attacker can gain full control over the affected system, potentially leading to further compromise [1][2].

Mitigation

To mitigate this issue before a patched version is released, users should install the package using npm's --ignore-scripts flag to prevent the automatic download of binaries. Then, navigate to the package directory, open default-config.json in a text editor, change the download URLs for compiler_url and library_url to their HTTPS equivalents, and run npm install again [2]. No official patched version of closure-utils has been published; users must apply the manual workaround [2]. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.