Loading HuntDB...

GHSA-w364-8vfv-gvf5

GitHub Security Advisory

Downloads Resources over HTTP in phantomjs-cheniu

✓ GitHub Reviewed HIGH Has CVE

Advisory Details

Affected versions of `phantomjs-cheniu` insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `phantomjs-cheniu`.

## Recommendation

No patch is currently available for this vulnerability.

As this package is just a fork of Medium's [`phantomjs-prebuilt`](https://github.com/Medium/phantomjs) package, the best mitigation is currently to install the `Medium` version of [`phantomjs-prebuilt`](https://github.com/Medium/phantomjs). This can be done via the following command:
```
npm i phantomjs-prebuilt
```

Affected Packages

npm phantomjs-cheniu
Affected versions: 0 (last affected: 2.0.1)

Related CVEs

Key Information

GHSA ID
GHSA-w364-8vfv-gvf5
Published
February 18, 2019 11:44 PM
Last Modified
January 8, 2021 1:57 AM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
phantomjs-cheniu
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.