Affected versions of selenium-binaries
insecurely download an executable over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running selenium-binaries
.
No fix is currently available for this vulnerability.
The best mitigation currently available is to use an alternate package, such as selenium-webdriver, the official selenium bindings for node.js.
CPE | Name | Operator | Version |
---|---|---|---|
selenium-binaries | ge | 0.0.0 |