Platform
nodejs
Component
electron-packager
Fixed in
7.0.0
CVE-2016-10534 affects versions of electron-packager before 7.0.0. This vulnerability allows attackers to perform Man-in-the-Middle (MITM) attacks during the Electron download process, potentially replacing legitimate downloads with malicious ones. The issue stems from the default disabling of SSL certificate verification. Updating to version 7.0.0 or later resolves this vulnerability.
An attacker with a privileged network position can exploit this vulnerability to intercept the Electron download process used by electron-packager. By replacing the valid Electron download with a tampered, malicious version, the attacker can compromise the application being packaged. This could lead to the installation of malware, data theft, or other malicious activities. The impact is particularly concerning for users who rely on electron-packager to build and distribute their applications, as it introduces a supply chain attack vector. While the strict-ssl option is true for the node.js API, the CLI defaults to disabling SSL verification, making it vulnerable.
CVE-2016-10534 was publicly disclosed in 2019. While no active exploitation campaigns have been definitively linked to this specific CVE, the potential for MITM attacks in the software supply chain remains a significant concern. It is not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it potentially exploitable with readily available MITM tools.
Exploit Status
EPSS
0.16% (36% percentile)
The primary mitigation for CVE-2016-10534 is to upgrade electron-packager to version 7.0.0 or later, which addresses the default SSL verification issue. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) or proxy to inspect and validate the Electron download traffic. Ensure that your network environment enforces strict SSL certificate validation policies. For environments where upgrading is disruptive, carefully review the strict-ssl configuration option within the node.js API and ensure it is set to true.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2016-10534 is a vulnerability in electron-packager versions before 7.0.0 that allows attackers to perform MITM attacks during Electron downloads, potentially replacing them with malicious files.
You are affected if you are using electron-packager versions prior to 7.0.0 and are using the CLI, as the default SSL verification is disabled.
Upgrade electron-packager to version 7.0.0 or later to resolve the vulnerability. Consider WAF/proxy rules if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are publicly known, the potential for MITM attacks makes it a significant risk.
Refer to the electron-packager documentation and related security advisories for more information: https://github.com/electron-userland/electron-packager/issues/602
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.