In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `herbivore`.

## Recommendation

The module author has rewritten much of the package, and in that process, patched the vulnerability, but has not published any of the new code to npm.

In order to get an updated version, it is necessary to install the package from github. This can be done using the following command:
```
npm i samatt/herbivore
```

Affected Packages

npm herbivore

Affected versions: 0 (last affected: 0.0.3)

Related CVEs

CVE-2016-10665

Key Information

GHSA ID

GHSA-7r2x-3qcm-8vfw

Published

February 18, 2019 11:44 PM

Last Modified

September 13, 2023 10:21 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

herbivore

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 3, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.