VYPR
← All advisories
Moderate severityOSV Advisory· Published Nov 9, 2023· Updated Sep 4, 2024

CVE-2023-26156

CVE-2023-26156

Description

Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system. Note: An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
chromedrivernpm
< 119.0.1119.0.1

Affected products

1

Patches

1
de961e34e023

Hide private attributes from exports

https://github.com/giggio/node-chromedriverGiovanni BassiNov 7, 2023via ghsa
commit
6 files changed · +45 20
  • lib/chromedriver.js+25 15 modified
    @@ -3,23 +3,23 @@ const path = require('path');
 const tcpPortUsed = require('tcp-port-used');
 function getPortFromArgs(args) {
   let port = 9515;
-  if (!args) {
+  if (!args)
     return port;
-  }
   const portRegexp = /--port=(\d*)/;
   const portArg = args.find(function (arg) {
     return portRegexp.test(arg);
   });
-  if (portArg) {
+  if (portArg)
     port = parseInt(portRegexp.exec(portArg)[1]);
-  }
   return port;
 }
 process.env.PATH = path.join(__dirname, 'chromedriver') + path.delimiter + process.env.PATH;
-exports.path = process.platform === 'win32' ? path.join(__dirname, 'chromedriver', 'chromedriver.exe') : path.join(__dirname, 'chromedriver', 'chromedriver');
-exports.version = '119.0.6045.105';
-exports.start = function (args, returnPromise) {
-  let command = exports.path;
+const crpath = process.platform === 'win32' ? path.join(__dirname, 'chromedriver', 'chromedriver.exe') : path.join(__dirname, 'chromedriver', 'chromedriver');
+const version = '119.0.6045.105';
+let defaultInstance = null;
+
+function start(args, returnPromise) {
+  let command = crpath;
   if (!fs.existsSync(command)) {
     console.log('Could not find chromedriver in default path: ', command);
     console.log('Falling back to use global chromedriver bin');
@@ -28,20 +28,30 @@ exports.start = function (args, returnPromise) {
   const cp = require('child_process').spawn(command, args);
   cp.stdout.pipe(process.stdout);
   cp.stderr.pipe(process.stderr);
-  exports.defaultInstance = cp;
-  if (!returnPromise) {
+  defaultInstance = cp;
+  if (!returnPromise)
     return cp;
-  }
   const port = getPortFromArgs(args);
   const pollInterval = 100;
   const timeout = 10000;
   return tcpPortUsed.waitUntilUsed(port, pollInterval, timeout)
     .then(function () {
       return cp;
     });
-};
-exports.stop = function () {
-  if (exports.defaultInstance != null) {
-    exports.defaultInstance.kill();
+}
+
+function stop() {
+  if (defaultInstance != null)
+    defaultInstance.kill();
+  defaultInstance = null;
+}
+
+module.exports = {
+  path: crpath,
+  version,
+  start,
+  stop,
+  get defaultInstance() {
+    return defaultInstance;
   }
 };
  • .npmignore+1 0 modified
    @@ -5,6 +5,7 @@ tmp
 Dockerfile
 *.sh
 testInstall.js
+testStart.js
 update.js
 *.tgz
 .vscode
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "chromedriver",
-  "version": "119.0.0",
+  "version": "119.0.1",
   "keywords": [
     "chromedriver",
     "selenium"
  • package-lock.json+2 2 modified
    @@ -1,12 +1,12 @@
 {
   "name": "chromedriver",
-  "version": "119.0.0",
+  "version": "119.0.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "chromedriver",
-      "version": "119.0.0",
+      "version": "119.0.1",
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "dependencies": {
  • testStart.js+14 0 added
    @@ -0,0 +1,14 @@
+#!/usr/bin/env node
+
+"use strict";
+const chromedriver = require('./lib/chromedriver');
+
+async function run() {
+  console.log(`Starting chromedriver. Instance: ${JSON.stringify(chromedriver)}`);
+  await chromedriver.start(null, true);
+  console.log(`Started Chromedriver. Instance is null: ${chromedriver.defaultInstance === null}.`);
+  chromedriver.stop();
+  console.log(`Stopped Chromedriver. Instance is null: ${chromedriver.defaultInstance === null}.`);
+}
+
+run();
  • update.js+2 2 modified
    @@ -21,14 +21,14 @@ async function getLatest() {
 }
 
 /* Provided a new Chromedriver version such as 77.0.3865.40:
-   - update the version inside the ./lib/chromedriver helper file e.g. exports.version = '77.0.3865.40';
+   - update the version inside the ./lib/chromedriver helper file e.g. const version = '77.0.3865.40';
    - bumps package.json version number
    - add a git tag using the new node-chromedriver version
    - add a git commit, e.g. Bump version to 77.0.0
 */
 async function writeUpdate(newVersion, shouldCommit) {
   const helper = fs.readFileSync('./lib/chromedriver.js', 'utf8');
-  const versionExport = 'exports.version';
+  const versionExport = 'const version';
   const regex = new RegExp(`^.*${versionExport}.*$`, 'gm');
   const updated = helper.replace(regex, `${versionExport} = '${newVersion}';`);
   const currentMajor = semver.major(currentVersionInPackageJson);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.