CVE-2016-10594: ipip downloads Resources over HTTP

February 18, 2019 (updated January 14, 2025)

Affected versions of ipip insecurely downloads resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution.

References

github.com/ChiChou/node-ipip
github.com/advisories/GHSA-9gqh-q4cx-f2h9
nvd.nist.gov/vuln/detail/CVE-2016-10594
www.npmjs.com/advisories/184

Detect and mitigate CVE-2016-10594 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →