module
Selenium Grid/Selenoid Unauthenticated RCE
| Disclosed | Created |
|---|---|
| May 28, 2021 | Apr 14, 2026 |
Disclosed
May 28, 2021
Created
Apr 14, 2026
Description
Selenium Grid and Selenoid expose a WebDriver API that allows creating
browser sessions with arbitrary capabilities. When deployed without
authentication (the default for both), an attacker can achieve remote
code execution through two browser-specific techniques:
For Chrome, the goog:chromeOptions binary field can be set to an
arbitrary executable such as /usr/bin/python3, since ChromeDriver does
not validate it. This was fixed in Selenium Grid 4.11.0 via the
stereotype capabilities merge. All Selenoid versions remain vulnerable.
For Firefox, a custom profile containing a malicious MIME handler that
maps application/sh to /bin/sh can be injected via moz:firefoxOptions.
Navigating to a data: URI with that content type triggers shell
execution. This technique has never been patched and works on all
Selenium Grid versions including the latest release.
The module auto-detects available browsers and selects the best attack
vector. Firefox is preferred as it works on all Grid versions.
The default Docker images run as seluser/selenium with passwordless
sudo, allowing trivial privilege escalation to root.
browser sessions with arbitrary capabilities. When deployed without
authentication (the default for both), an attacker can achieve remote
code execution through two browser-specific techniques:
For Chrome, the goog:chromeOptions binary field can be set to an
arbitrary executable such as /usr/bin/python3, since ChromeDriver does
not validate it. This was fixed in Selenium Grid 4.11.0 via the
stereotype capabilities merge. All Selenoid versions remain vulnerable.
For Firefox, a custom profile containing a malicious MIME handler that
maps application/sh to /bin/sh can be injected via moz:firefoxOptions.
Navigating to a data: URI with that content type triggers shell
execution. This technique has never been patched and works on all
Selenium Grid versions including the latest release.
The module auto-detects available browsers and selects the best attack
vector. Firefox is preferred as it works on all Grid versions.
The default Docker images run as seluser/selenium with passwordless
sudo, allowing trivial privilege escalation to root.
Authors
Platform
Linux,Python,Unix
Architectures
python, cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.