Bekannte Sicherheitslücken (CVE) in selenium/node-chrome:nightly

CVE-ID	Schweregrad	Paket	Betroffene Version	Behobene Version	CVSS-Score
CVE-2026-41176	critical	rclone	>=1.45.0,<1.73.5	1.73.5	9.2
Summary The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Preconditions Preconditions for this vulnerability are: The rclone remote control API must be enabled, either by the `--rc` flag or by running the `rclone rcd` server The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the `--rc-addr` flag is in use The rc must have been deployed without global RC HTTP authentication - so not using `--rc-user`/`--rc-pass`/`--rc-htpasswd`/etc Details The root cause is present from v1.45 onward. Some higher-impact exploitation paths became available in later releases as additional RC functionality was introduced. The issue is caused by two properties of the RC implementation: `options/set` is exposed without `AuthRequired: true` the RC server enforces authorization for `AuthRequired` calls using the mutable runtime value `s.opt.NoAuth` Relevant code paths: `fs/rc/config.go` registers `options/set` without `AuthRequired: true` `rcOptionsSet` reshapes attacker-controlled input into global option blocks `fs/rc/rcserver/rcserver.go` request handling checks: `if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth()` once `rc.NoAuth` is changed to `true`, later `AuthRequired` methods become callable without credentials This creates a runtime auth-bypass primitive on the RC interface. After setting `rc.NoAuth=true`, previously protected administrative methods become callable, including configuration and operational endpoints such as: `config/listremotes` `config/dump` `config/get` `operations/list` `operations/copyfile` `core/command` Relevant code for the second-stage command execution path: `fs/metadata.go` `metadataMapper()` uses `exec.Command(...)` `fs/operations/rc.go` `operations/copyfile` is normally `AuthRequired: true` once `rc.NoAuth=true`, it becomes reachable without credentials This was validating using the following: current `master` as of 2026-04-14: `bf55d5e6d37fd86164a87782191f9e1ffcaafa82` latest public release tested locally: `v1.73.4` The issue was also verified on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution). PoC Minimal reproduction Start a vulnerable server: `rclone rcd --rc-addr 127.0.0.1:5572` No `--rc-user`, no `--rc-pass`, no `--rc-htpasswd`. First confirm that a protected RC method is initially blocked: `curl -sS -X POST http://127.0.0.1:5572/config/listremotes \ -H 'Content-Type: application/json' \ --data '{}'` Expected result: HTTP 403. Use unauthenticated `options/set` to disable the auth gate: `curl -sS -X POST http://127.0.0.1:5572/options/set \ -H 'Content-Type: application/json' \ --data '{"rc":{"NoAuth":true}}'` Expected result: HTTP 200 `{}` Then call the same protected method again without credentials: `curl -sS -X POST http://127.0.0.1:5572/config/listremotes \ -H 'Content-Type: application/json' \ --data '{}'` Expected result: HTTP 200 with a JSON response such as: `{"remotes":[]}` Testing performed This was successfully reproduced: on the tester's ocal test environment on a public amd64 Ubuntu host controlled by the tester Using the public host, the following was confirmed: unauthenticated `options/set` successfully set `rc.NoAuth=true` previously protected RC methods became callable without credentials the issue was reproducible through direct host execution Impact This is an authorization bypass on the RC administrative interface. It can allow an unauthenticated network attacker, on a reachable RC deployment without global HTTP authentication, to disable the intended auth boundary for protected RC methods and gain access to sensitive configuration and operational functionality. Depending on the enabled RC surface and runtime configuration, this can further enable higher-impact outcomes such as local file read, credential/config disclosure, filesystem enumeration, and command execution. Package URL(s): `pkg:golang/github.com/rclone/rclone@1.73.4` More Info (NVD): https://nvd.nist.gov/vuln/detail/CVE-2026-41176
CVE-2026-41179	critical	rclone	>=1.48.0,<=1.73.4	1.73.5	9.2
CVE-2023-0645	medium	libjxl0.7	>=0	not fixed	9.1
CVE-2024-7055	medium	libswresample4	>=0	not fixed	8.8
CVE-2025-1594	medium	libswresample4	>=0	not fixed	8.8
CVE-2026-44973	high	v5	<5.9.0	5.9.0	8.1
CVE-2024-32230	medium	libswresample4	>=0	not fixed	7.8
CVE-2025-1352	low	libelf1t64	>=0	not fixed	7.5
CVE-2023-35790	medium	libjxl0.7	>=0	not fixed	7.5
CVE-2025-2173	medium	libzvbi0t64	>=0	not fixed	7.5

CVE-ID

Schweregrad

Paket

Betroffene Version

Behobene Version

CVSS-Score

CVE-2026-41176

critical

rclone

>=1.45.0,<1.73.5

1.73.5

9.2

Summary

The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with AuthRequired: true on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.

Preconditions

Preconditions for this vulnerability are:

The rclone remote control API must be enabled, either by the --rc flag or by running the rclone rcd server
The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the --rc-addr flag is in use
The rc must have been deployed without global RC HTTP authentication - so not using --rc-user/--rc-pass/--rc-htpasswd/etc

Details

The root cause is present from v1.45 onward. Some higher-impact exploitation paths became available in later releases as additional RC functionality was introduced.

The issue is caused by two properties of the RC implementation:

options/set is exposed without AuthRequired: true
the RC server enforces authorization for AuthRequired calls using the mutable runtime value s.opt.NoAuth

Relevant code paths:

fs/rc/config.go
- registers options/set without AuthRequired: true
- rcOptionsSet reshapes attacker-controlled input into global option blocks
fs/rc/rcserver/rcserver.go
- request handling checks:
  - if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth()
- once rc.NoAuth is changed to true, later AuthRequired methods become callable without credentials

This creates a runtime auth-bypass primitive on the RC interface.

After setting rc.NoAuth=true, previously protected administrative methods become callable, including configuration and operational endpoints such as:

config/listremotes
config/dump
config/get
operations/list
operations/copyfile
core/command

Relevant code for the second-stage command execution path:

fs/metadata.go
- metadataMapper() uses exec.Command(...)
fs/operations/rc.go
- operations/copyfile is normally AuthRequired: true
- once rc.NoAuth=true, it becomes reachable without credentials

This was validating using the following:

current master as of 2026-04-14: bf55d5e6d37fd86164a87782191f9e1ffcaafa82
latest public release tested locally: v1.73.4

The issue was also verified on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution).

PoC

Minimal reproduction

Start a vulnerable server:

rclone rcd --rc-addr 127.0.0.1:5572

No --rc-user, no --rc-pass, no --rc-htpasswd.

First confirm that a protected RC method is initially blocked:

curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
  -H 'Content-Type: application/json' \
  --data '{}'

Expected result: HTTP 403.

Use unauthenticated options/set to disable the auth gate:

curl -sS -X POST http://127.0.0.1:5572/options/set \
  -H 'Content-Type: application/json' \
  --data '{"rc":{"NoAuth":true}}'

Expected result: HTTP 200 {}

Then call the same protected method again without credentials:

curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
  -H 'Content-Type: application/json' \
  --data '{}'

Expected result: HTTP 200 with a JSON response such as:

{"remotes":[]}

Testing performed

This was successfully reproduced:

on the tester's ocal test environment
on a public amd64 Ubuntu host controlled by the tester

Using the public host, the following was confirmed:

unauthenticated options/set successfully set rc.NoAuth=true
previously protected RC methods became callable without credentials
the issue was reproducible through direct host execution

Impact

This is an authorization bypass on the RC administrative interface.

It can allow an unauthenticated network attacker, on a reachable RC deployment without global HTTP authentication, to disable the intended auth boundary for protected RC methods and gain access to sensitive configuration and operational functionality.

Depending on the enabled RC surface and runtime configuration, this can further enable higher-impact outcomes such as local file read, credential/config disclosure, filesystem enumeration, and command execution.

Package URL(s):

pkg:golang/github.com/rclone/rclone@1.73.4

More Info (NVD):

https://nvd.nist.gov/vuln/detail/CVE-2026-41176

CVE-2026-41179

critical

rclone

>=1.48.0,<=1.73.4

1.73.5

9.2

CVE-2023-0645

medium

libjxl0.7

>=0

not fixed

9.1

CVE-2024-7055

medium

libswresample4

>=0

not fixed

8.8

CVE-2025-1594

medium

libswresample4

>=0

not fixed

8.8

CVE-2026-44973

high

<5.9.0

5.9.0

8.1

CVE-2024-32230

medium

libswresample4

>=0

not fixed

7.8

CVE-2025-1352

low

libelf1t64

>=0

not fixed

7.5

CVE-2023-35790

medium

libjxl0.7

>=0

not fixed

7.5

CVE-2025-2173

medium

libzvbi0t64

>=0

not fixed

7.5

Schweregradstufen

Ausnutzung könnte zu schwerwiegenden Konsequenzen wie Systemkompromittierung oder Datenverlust führen. Erfordert sofortige Aufmerksamkeit.

Sicherheitslücke könnte relativ leicht ausgenutzt werden und erhebliche Auswirkungen haben. Erfordert zeitnahe Aufmerksamkeit.

Ausnutzung ist möglich, erfordert aber möglicherweise spezifische Bedingungen. Auswirkungen sind moderat. Sollte zeitnah behoben werden.

Ausnutzung ist schwierig oder die Auswirkungen sind minimal. Kann bei Gelegenheit oder im Rahmen der regulären Wartung behoben werden.

Schweregrad ist nicht bestimmt, informativ oder vernachlässigbar. Überprüfung je nach Kontext.

Über den CVE-Scanner

Der CVE-Scanner ist ein leistungsstarkes Tool, das dir hilft, bekannte Sicherheitslücken in deinen Docker-Images zu identifizieren. Indem deine Images mit einer umfassenden Datenbank von Common Vulnerabilities and Exposures (CVEs) abgeglichen werden, kannst du sicherstellen, dass deine Anwendungen sicher und auf dem neuesten Stand sind. Für weitere Details, schau dir die NIST CVE-Datenbank an.

Warum CVE-Scanning für deine Docker-Images wichtig ist

Mit dem Anstieg von Supply-Chain-Angriffen ist die Sicherung deiner Anwendungen wichtiger denn je. CVE-Scanning spielt eine entscheidende Rolle bei der Identifizierung von Sicherheitslücken, die von Angreifern ausgenutzt werden könnten, insbesondere solche, die durch Abhängigkeiten und Drittanbieter-Komponenten eingeführt werden. Regelmäßiges Scannen und Sichern deiner Docker-Images ist essenziell, um deine Anwendungen vor diesen sich entwickelnden Bedrohungen zu schützen.

Was ist eine CVE?

CVE steht für Common Vulnerabilities and Exposures. Es ist ein standardisierter Bezeichner für bekannte Sicherheitslücken, der Entwicklern und Organisationen ermöglicht, potenzielle Risiken effektiv zu verfolgen und zu beheben. Für weitere Informationen, besuche cve.mitre.org.

Vorteile des CVE-Scannens

Erhöhte Sicherheit: Erkenne und behebe Sicherheitslücken, bevor sie ausgenutzt werden.
Compliance: Erfülle Branchenstandards und regulatorische Anforderungen für sichere Software.
Proaktive Wartung: Bleibe potenziellen Bedrohungen einen Schritt voraus, indem du Sicherheitslücken frühzeitig behebst.

Wie der CVE-Scanner funktioniert

Der CVE-Scanner analysiert deine Docker-Images anhand einer umfassenden Datenbank bekannter Sicherheitslücken. Er nutzt Docker Scout im Hintergrund, um detaillierte Einblicke in betroffene Pakete, Schweregradstufen und verfügbare Fixes zu liefern, sodass du sofort handeln kannst.

Die Bedeutung des Patchens von Docker-Images

Das Patchen deiner Docker-Images ist ein entscheidender Schritt, um die Sicherheit und Stabilität deiner Anwendungen zu gewährleisten. Durch regelmäßige Updates deiner Images mit den neuesten Sicherheitspatches kannst du bekannte Sicherheitslücken beheben und das Risiko einer Ausnutzung reduzieren. Dieser proaktive Ansatz stellt sicher, dass deine Anwendungen widerstandsfähig gegenüber neuen Bedrohungen bleiben und hilft, die Einhaltung von Sicherheitsstandards zu gewährleisten.

CVE-Scan für selenium/node-chrome:nightly

Docker-Image-Sicherheitslücken-Scanner

116 Bekannte Sicherheitslücken in diesem Docker-Image

Summary

Preconditions

Details

PoC

Minimal reproduction

Testing performed

Impact

Schweregradstufen

Über den CVE-Scanner

Warum CVE-Scanning für deine Docker-Images wichtig ist

Was ist eine CVE?

Vorteile des CVE-Scannens

Wie der CVE-Scanner funktioniert

Die Bedeutung des Patchens von Docker-Images

Du willst dieses Image deployen?