Homepage
About Snyk

Command Injection Affecting chromedriver package, versions <119.0.1

0.0
medium

Snyk CVSS

    Attack Complexity High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.07% (29th percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-CHROMEDRIVER-6049539
  • published 8 Nov 2023
  • disclosed 6 Nov 2023
  • credit Coimbra Miguel
Report a new vulnerability Found a mistake?

Introduced: 6 Nov 2023

CVE-2023-26156 Open this link in a new tab
CWE-78 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade chromedriver to version 119.0.1 or higher.

Overview

chromedriver is a ChromeDriver for Selenium

Affected versions of this package are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.

Note:

An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver.