CVE-2016-10579: chromedriver Downloads Resources over HTTP

February 18, 2019 (updated July 11, 2025)

Affected versions of chromedriver insecurely download resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. This may result in arbitrary code execution if an attacker intercepts and modifies the downloaded binary file, replacing it with a malicious one.

References

github.com/advisories/GHSA-jh5w-6964-x5cf
github.com/giggio/node-chromedriver
github.com/giggio/node-chromedriver/commit/71981099216b7c15ec01e50baaacb15fe1b85e56
github.com/giggio/node-chromedriver/issues/78
nvd.nist.gov/vuln/detail/CVE-2016-10579

Code Behaviors & Features

Detect and mitigate CVE-2016-10579 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →