#VU108090 NULL pointer dereference in Selenium - CVE-2023-5590

Cybersecurity Help s.r.o.

Published: 2025-04-30

Vulnerability identifier: #VU108090

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-5590

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Selenium
Web applications / Modules and components for CMS

Vendor: seleniumhq.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Vulnerable software versions

Selenium: 0.9.2 - 4.13.1

External links
https://github.com/seleniumhq/selenium/commit/023a0d52f106321838ab1c0997e76693f4dcbdf6
https://huntr.dev/bounties/e268cd68-4f34-49bd-878b-82b96dcc0c99

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Observability with Instana

NULL pointer dereference in seleniumhq/selenium