CVE-2016-10628
CVE-2016-10628
In short
selenium-wrapper downloads software components over unencrypted HTTP instead of secure HTTPS, allowing attackers on the network to intercept and replace these files with malicious versions, potentially executing harmful code on your computer.
Technical detail
selenium-wrapper fetches binary resources via unencrypted HTTP, enabling man-in-the-middle (MITM) attacks where a network-positioned attacker can substitute legitimate binaries with malicious payloads, resulting in remote code execution during installation or runtime. The vulnerability requires network access between the victim and the download source but no authentication bypass.
Summary generated and translated by AI from the official description.
selenium-wrapper is a selenium server wrapper, including installation and chrome webdriver. selenium-wrapper downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Affected products
HackerOne · selenium-wrapper node moduleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://nodesecurity.io/advisories/224