CVE-2016-10580

Name of the Vulnerable Software and Affected Versions nodewebkit versions (affected versions not specified)

Description The issue allows for potential remote code execution (RCE) due to the insecure download of zipped resources over HTTP, making it susceptible to man-in-the-middle (MITM) attacks. If an attacker is positioned between the user and the remote server or is on the same network, they can potentially swap the requested zip file with an attacker-controlled zip file. This vulnerability can be exploited when an attacker has a privileged network position, allowing them to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running nodewebkit.

Recommendations As a temporary workaround, consider using the official installer instead of the nodewebkit package, as per the package author's instructions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.