Command Injection Affecting chromedriver package, versions <119.0.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.2% (60th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-CHROMEDRIVER-6049539
  • published8 Nov 2023
  • disclosed6 Nov 2023
  • creditCoimbra Miguel

Introduced: 6 Nov 2023

CVE-2023-26156  (opens in a new tab)
CWE-78  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade chromedriver to version 119.0.1 or higher.

Overview

chromedriver is a ChromeDriver for Selenium

Affected versions of this package are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.

Note:

An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver.

CVSS Scores

version 3.1