CVE-2016-10534: Improper Certificate Validation

February 18, 2019 (updated January 8, 2021)

electron-packager is a command line tool that packages Electron source code into .app and .exe packages. along with Electron. The --strict-ssl command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not explicitly set to true. This could allow an attacker to perform a man in the middle attack.

References

github.com/advisories/GHSA-q43m-ffwr-rpcc
github.com/electron-userland/electron-packager/issues/333
nodesecurity.io/advisories/104
nvd.nist.gov/vuln/detail/CVE-2016-10534
www.npmjs.com/advisories/104

Detect and mitigate CVE-2016-10534 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →