CVE-2016-10694
Description
alto-saxophone is a module to install and launch Chromedriver for Mac, Linux or Windows. alto-saxophone versions below 2.25.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
alto-saxophone versions before 2.25.1 download Chromedriver binaries over unencrypted HTTP, enabling MITM attackers to swap binaries and achieve remote code execution.
## Vulnerability alto-saxophone, an npm module for installing and launching Chromedriver on Mac, Linux, or Windows, downloads binary resources over plain HTTP in versions below 2.25.1 [1], [2]. This insecure transport exposes the download to interception and modification by a network adversary.
Exploitation
An attacker with Man-in-the-Middle (MITM) capability—positioned on the same network or between the user and the remote server—can intercept the HTTP request for the Chromedriver binary [1], [2]. By replacing the legitimate binary with a malicious one, the attacker can deliver arbitrary code to the user's system.
Impact
Successful exploitation allows the attacker to execute arbitrary code on the victim's machine with the privileges of the user installing or running alto-saxophone [1], [2]. This constitutes full remote code execution (RCE) and a complete compromise of confidentiality, integrity, and availability.
Mitigation
Upgrade to alto-saxophone version 2.25.1 or later, which downloads binary resources over HTTPS [1], [2]. No other workaround is documented; users should ensure the package manager fetches the fixed version.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
alto-saxophonenpm | < 2.25.1 | 2.25.1 |
Affected products
3- Range: <2.25.1
- HackerOne/alto-saxophone node modulev5Range: <2.25.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2p69-gxpm-5469ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10694ghsaADVISORY
- nodesecurity.io/advisories/172mitrex_refsource_MISC
- www.npmjs.com/advisories/172ghsaWEB
News mentions
0No linked articles in our index yet.