CVE-2016-10661

Name of the Vulnerable Software and Affected Versions phantomjs-cheniu (affected versions not specified)

Description The issue concerns phantomjs-cheniu, a Headless WebKit with JS API, which downloads binary resources over HTTP. This leaves it vulnerable to Man-In-The-Middle (MITM) attacks, potentially allowing remote code execution (RCE) if an attacker swaps the requested resources with a controlled copy, given they are on the network or between the user and the remote server. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running phantomjs-cheniu.

Recommendations As a temporary workaround, consider installing the Medium version of phantomjs-prebuilt via the command: npm i phantomjs-prebuilt At the moment, there is no information about a newer version that contains a fix for this vulnerability.