Affected versions of webrtc-native
insecurely download an executable over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running webrtc-native
.
No direct patch is currently available for this vulnerability.
However, if the native components of webrtc-native
are built from source, this avoids download the precompiled binary, therefore mitigating the insecure download.
The package author has provided instructions for building from source here.
CPE | Name | Operator | Version |
---|---|---|---|
webrtc-native | ge | 0.0.0 |