CVE-2016-10579

HIGH8.1EPSS 0.77%

chromedriver Downloads Resources over HTTP

Published: 2/18/2019Modified: 7/11/2025

Description

Affected versions of `chromedriver` insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. This may result in arbitrary code execution if an attacker intercepts and modifies the downloaded binary file, replacing it with a malicious one. ## Recommendation Update to version 2.26.1 or later.

Affected packages (1)

npm/chromedriverfrom 0, < 2.25.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10579
PATCHhttps://github.com/giggio/node-chromedriver
WEBhttps://github.com/giggio/node-chromedriver/commit/71981099216b7c15ec01e50baaacb15fe1b85e56
WEBhttps://github.com/giggio/node-chromedriver/issues/78#issuecomment-266314859