CVE-2016-10657
Description
co-cli-installer downloads the co-cli module as part of the install process, but does so over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
co-cli-installer downloads a module over unencrypted HTTP, enabling MITM attackers to replace the executable and achieve remote code execution.
Vulnerability
The co-cli-installer npm package downloads the co-cli module as part of its install process over an unencrypted HTTP connection. All versions up to and including 0.0.2 are affected. This insecure download mechanism leaves the package vulnerable to man-in-the-middle (MITM) attacks [1], [2].
Exploitation
An attacker with a privileged network position—such as being on the same network as the user or positioned between the user and the remote server—can intercept the HTTP request during installation. By swapping out the requested resources with an attacker-controlled copy, the malicious executable is downloaded and executed [1], [2].
Impact
Successful exploitation leads to arbitrary code execution on the system running co-cli-installer. The attacker can achieve full remote code execution (RCE) with the privileges of the user performing the installation [1], [2].
Mitigation
No patch is currently available for this vulnerability. The recommended mitigation is to avoid using this package entirely and choose an alternative if available. If usage is unavoidable, the risk can be reduced by ensuring installation does not occur while connected to a public or untrusted network [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
co-cli-installernpm | <= 0.0.2 | — |
Affected products
3- HackerOne/co-cli-installer node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5rm3-qhxf-rh3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10657ghsaADVISORY
- nodesecurity.io/advisories/268mitrex_refsource_MISC
- www.npmjs.com/advisories/268ghsaWEB
News mentions
0No linked articles in our index yet.