Description
geoip-lite-country is a stripped down version of geoip-lite, supporting only country lookup. geoip-lite-country before 1.1.4 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
Remediation
References
https://nodesecurity.io/advisories/183
Related Vulnerabilities
CVE-2022-35948 Vulnerability in maven package org.webjars.npm:undici
CVE-2018-17785 Vulnerability in maven package cc.blynk.server.api.core:http-core
CVE-2022-33987 Vulnerability in maven package org.webjars.npm:got
CVE-2013-4590 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2023-38704 Vulnerability in npm package import-in-the-middle