CVE-2016-10604
Description
dalek-browser-chrome is Google Chrome bindings for DalekJS. dalek-browser-chrome downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
dalek-browser-chrome downloads its binary resources over unencrypted HTTP, allowing MITM attackers to substitute a malicious executable and achieve remote code execution.
Vulnerability
The npm package dalek-browser-chrome (versions <= 0.0.11) downloads Google Chrome binary resources via plain HTTP connections instead of HTTPS. This insecure transport exposes the binary to man-in-the-middle attacks during the download process because no TLS encryption or integrity verification is used for the fetched executable [1], [2].
Exploitation
An attacker with a privileged network position — such as being on the same local network, controlling a compromised router, or intercepting traffic at an ISP level — can intercept the HTTP download request and replace the legitimate binary with an attacker-controlled executable. No authentication or user interaction beyond the package’s normal installation is required; the package itself performs the unauthenticated HTTP download [2].
Impact
Successful exploitation leads to remote code execution (RCE) on the system where dalek-browser-chrome is installed. The attacker-supplied binary runs with the privileges of the user or process installing the package, giving the attacker full control over that execution context and the ability to compromise the entire host [1], [2].
Mitigation
No official patch is available for this vulnerability [2]. The recommended mitigation is to avoid using dalek-browser-chrome altogether; the package author suggests migrating to an alternative like TestCafé [2]. Users who must retain the package should only install or run it on private, trusted networks where the risk of MITM interception is minimized [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dalek-browser-chromenpm | <= 0.0.11 | — |
Affected products
3- HackerOne/dalek-browser-chrome node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6q8q-rvf4-m4pgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10604ghsaADVISORY
- nodesecurity.io/advisories/199mitrex_refsource_MISC
- www.npmjs.com/advisories/199ghsaWEB
News mentions
0No linked articles in our index yet.