LOWCVE-2016-10552CVSS 2.5

CVE-2016-10552: HTTP Resource Download in igniteui

Platform

nodejs

Component

igniteui

Fixed in

0.0.6

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2016-10552 is a security vulnerability affecting versions of igniteui up to and including 0.0.5. This issue involves the insecure download of JavaScript and CSS resources over HTTP, potentially exposing sensitive data to attackers. The vulnerability's impact is mitigated by upgrading to the successor package, ignite-ui, or by ensuring all resources are served over HTTPS.

Impact and Attack Scenarios

The primary impact of CVE-2016-10552 stems from the lack of encryption during resource downloads. An attacker positioned on a privileged network (e.g., within the same local network or using a man-in-the-middle attack) can intercept the HTTP traffic. This interception allows the attacker to view or even modify the downloaded JavaScript and CSS files. While the vulnerability itself doesn't directly lead to code execution, the compromised resources could be manipulated to inject malicious scripts or alter the application's appearance, potentially leading to phishing or other social engineering attacks. The blast radius is limited to users accessing the application over the affected network.

Exploitation Context

CVE-2016-10552 has been publicly disclosed and is not currently listed on the CISA KEV catalog. There are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely low due to the requirement of a privileged network position for exploitation and the availability of straightforward mitigation strategies.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.14% (33% percentile)

Affected Software

Componentigniteui

Vendorosv

Affected rangeFixed in

0.0.50.0.6

Timeline

Published2019-02-18
Modified2023-11-08
EPSS updated2026-04-02

Unpatched — 2652 days since disclosure

Mitigation and Workarounds

The recommended mitigation for CVE-2016-10552 is to upgrade to the ignite-ui package, which has superseded igniteui. This package addresses the underlying issue and provides a more secure implementation. If upgrading is not immediately feasible, implement HTTPS for all resource downloads. This can be achieved by configuring your web server to serve resources over HTTPS and updating any references to HTTP URLs within the application. Verify the upgrade by inspecting network traffic to confirm resources are being served over HTTPS or that the igniteui package has been replaced with ignite-ui.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2016-10552 — HTTP Resource Download in igniteui?

CVE-2016-10552 is a vulnerability in igniteui versions ≤0.0.5 where JavaScript and CSS resources are downloaded over unencrypted HTTP, allowing network attackers to intercept data.

Am I affected by CVE-2016-10552 in igniteui?

You are affected if your application uses igniteui version 0.0.5 or earlier and resources are being served over HTTP. Upgrade to ignite-ui or enable HTTPS.

How do I fix CVE-2016-10552 in igniteui?

The recommended fix is to upgrade to the ignite-ui package. Alternatively, configure your web server to serve resources over HTTPS.

Is CVE-2016-10552 being actively exploited?

There are currently no known active exploits or campaigns targeting CVE-2016-10552.

Where can I find the official igniteui advisory for CVE-2016-10552?

The vulnerability is documented in the npm advisory and related discussions, although the package is deprecated. Refer to the ignite-ui project for current recommendations.