CVE-2016-10573
Description
baryton-saxophone is a module to install and launch Selenium Server for Mac, Linux and Windows. baryton-saxophone versions below 3.0.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
baryton-saxophone npm module below 3.0.1 downloads binary resources over HTTP, enabling MITM attackers to swap binaries and achieve RCE.
Vulnerability
The npm module baryton-saxophone versions before 3.0.1 downloads binary resources (such as Selenium Server binaries) over plain HTTP instead of HTTPS [1][2]. This lack of transport encryption makes the downloaded binary vulnerable to man-in-the-middle (MITM) attacks during the download process. The module is used to install and launch Selenium Server on Mac, Linux, and Windows systems [1].
Exploitation
An attacker must be positioned on the network between the user and the remote server (e.g., on a shared Wi-Fi, compromised router, or via ARP spoofing) [1]. No additional authentication or user interaction beyond the normal module install/update process is required. The attacker intercepts the HTTP request for the binary and replaces the legitimate binary with a malicious one, which is then executed by the system [2].
Impact
Successful exploitation allows the attacker to achieve remote code execution (RCE) on the victim's machine [1][2]. The attacker-controlled binary runs with the privileges of the user or process that launched baryton-saxophone, leading to full compromise of the application or system depending on the execution context [1].
Mitigation
The vulnerability is fixed in baryton-saxophone version 3.0.1 [2]. Users should upgrade to this version or later immediately. No workaround is available if the module remains on an affected version. The advisory was published to the GitHub Advisory Database on February 18, 2019 [2]. There is no known inclusion in CISA's KEV catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baryton-saxophonenpm | < 3.0.1 | 3.0.1 |
Affected products
3- Range: <3.0.1
- HackerOne/baryton-saxophone node modulev5Range: <3.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6pwf-whc8-hjf6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10573ghsaADVISORY
- nodesecurity.io/advisories/240mitrex_refsource_MISC
- www.npmjs.com/advisories/240ghsaWEB
News mentions
0No linked articles in our index yet.