CVE-2016-10613
Description
bionode-sra is a Node.js wrapper for SRA Toolkit. bionode-sra downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
bionode-sra downloads data over unencrypted HTTP, enabling MITM attacks to compromise data integrity or inject malicious content.
Vulnerability
bionode-sra, a Node.js wrapper for the SRA Toolkit, downloads data resources over plain HTTP without TLS. This design choice leaves all data in transit vulnerable to man-in-the-middle attacks. The affected package is any version of bionode-sra that relies on HTTP for data retrieval, as described in the official advisory [1]. The official GitHub repository [2] confirms the package's functionality as a wrapper for the SRA Toolkit, but does not provide specific version information or indicate that HTTPS is used.
Exploitation
An attacker with network access between the user and the remote server hosting SRA data can intercept the HTTP traffic. No authentication or user interaction beyond running the tool is required; any user of bionode-sra that triggers a data download is susceptible. The attacker can perform a standard man-in-the-middle attack by intercepting the HTTP request and response, potentially modifying or replacing the downloaded files without the user's knowledge.
Impact
Successful exploitation allows the attacker to replace the intended data with arbitrary content, leading to a complete loss of integrity and possible confidentiality or availability compromise. Since the data may be used in downstream scientific analysis, the impact could include corrupted research results or execution of malicious payloads if the downloaded content is processed unsafely (e.g., via shell commands). The attacker does not gain direct system access but can inject malicious data into the user's workflow.
Mitigation
No official fix has been released for bionode-sra as of the publication date of this CVE. The package appears to be deprecated or unmaintained, and no updated version addressing the HTTP vulnerability is mentioned in the available references [1][2]. Users should avoid using bionode-sra altogether or manually ensure that all downloaded data is transferred over HTTPS by using alternative tools or proxying through a secure connection. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bionode-sranpm | <= 2.0.0 | — |
Affected products
3- HackerOne/bionode-sra node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-735c-r4vc-6gm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10613ghsaADVISORY
- nodesecurity.io/advisories/211mitrex_refsource_MISC
- www.npmjs.com/advisories/211ghsaWEB
News mentions
0No linked articles in our index yet.