High severityNVD Advisory· Published May 29, 2018· Updated Sep 17, 2024
CVE-2017-16003
CVE-2017-16003
Description
windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
windows-build-toolsnpm | < 1.0.0 | 1.0.0 |
Affected products
1- Range: <1.0.0
Patches
19835d33e68f2:wrench: Use HTTPS - Thanks to @grander
1 file changed · +1 −1
src/constants.js+1 −1 modified@@ -2,7 +2,7 @@ var pythonMirror = process.env.npm_config_python_mirror || process.env.PYTHON_MI var buildTools = { installerName: 'BuildTools_Full.exe', - installerUrl: 'http://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe', + installerUrl: 'https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe', logName: 'build-tools-log.txt' }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-9p47-w5xp-f4xrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16003ghsaADVISORY
- github.com/felixrieseberg/windows-build-tools/commit/9835d33e68f2cb5e4d148e954bb3ed0221d98e90ghsax_refsource_MISCWEB
- github.com/felixrieseberg/windows-build-tools/commit/9835d33e68f2cb5e4d148e954bb3ed0221d98e90)ghsaWEB
- nodesecurity.io/advisories/304mitrex_refsource_MISC
- www.npmjs.com/advisories/304ghsaWEB
News mentions
0No linked articles in our index yet.