CVE-2023-26156: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26156 affects versions of the package chromedriver before 119.0.1. The vulnerability was discovered and disclosed on November 6, 2023, and published on November 8, 2023. This security issue impacts the chromedriver package for Node.js, specifically when setting the chromedriver.path configuration (Snyk Advisory).

The vulnerability is classified as a Command Injection (CWE-78) vulnerability. When setting the chromedriver.path to an arbitrary system binary, it becomes possible to execute unauthorized commands. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from NIST with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, while Snyk assessed it with a score of 5.6 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability could lead to unauthorized access and potentially malicious actions on the host system. An attacker could execute arbitrary commands through the manipulation of the chromedriver.path setting. However, the success of exploitation depends on the permissions and privileges of the process running chromedriver (Snyk Advisory).

The vulnerability has been fixed in chromedriver version 119.0.1. Users should upgrade to this version or higher to mitigate the risk. The fix involves changes to how the package handles private attributes and path configurations (GitHub Patch).