CVE-2016-10578: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

February 18, 2019 (updated January 8, 2021)

unicode loads unicode data downloaded from unicode.org into nodejs. Unicode before 9.0.0 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.

References

github.com/advisories/GHSA-qjf4-7642-c57p
nodesecurity.io/advisories/161
nvd.nist.gov/vuln/detail/CVE-2016-10578
www.npmjs.com/advisories/161

Detect and mitigate CVE-2016-10578 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →