Skip to main content

browserstack-cypress-cli CVE-2026-48723

HIGH
OS Command Injection (CWE-78)
2026-06-15 GitHub_M
7.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local CLI ingesting an attacker-supplied config file (AV:L, PR:N), reliable injection (AC:L), victim must run the CLI (UI:R), full RCE in user context gives C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 23:31 vuln.today
Analysis Generated
Jun 15, 2026 - 23:31 vuln.today

DescriptionCVE.org

The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6.

AnalysisAI

OS command injection in BrowserStack's browserstack-cypress-cli versions prior to 1.36.6 allows attackers who control the cypress_config_filepath value to execute arbitrary shell commands in the context of the user running the CLI. The vulnerable loadJsFile() function in readCypressConfigUtil.js interpolated the path into a shell command executed via child_process.execSync(), letting embedded quote and semicolon characters break out of the quoted argument. No public exploit identified at time of analysis, though the upstream commit and added negative tests effectively document the exact payload pattern.

Technical ContextAI

The flaw is a textbook CWE-78 (Improper Neutralization of Special Elements used in an OS Command) in a Node.js CLI distributed on npm. In bin/helpers/readCypressConfigUtil.js, the prior code built a command string with template literals - NODE_PATH="..." node "..." "${cypress_config_filepath}" on POSIX and a set NODE_PATH=...&& variant on Windows - and handed it to child_process.execSync, which always spawns a shell. Because the user-controlled cypress_config_filepath was only wrapped in double quotes with no escaping, characters like ", ;, &, |, backtick, and $() allow the attacker to terminate the quoted argument and append arbitrary shell syntax. The CPE cpe:2.3:a:browserstack:browserstack-cypress-cli:*:*:* covers all versions of the npm package up to the fix. The patch (commit 6dbf8f93) replaces execSync with execFileSync (which spawns node directly with no shell), passes NODE_PATH via the env option, and adds a defense-in-depth validateFilePath() that rejects any path containing ;"$|&(){}\`.

RemediationAI

Upstream fix available (commit 6dbf8f93); upgrade to the patched release published by BrowserStack - the advisory GHSA-fh4c-mffm-8xhf lists 1.36.6, while the CVE record references 1.36.4, so confirm against https://github.com/browserstack/browserstack-cypress-cli/security/advisories/GHSA-fh4c-mffm-8xhf and pin to whichever the vendor publishes. Until upgrade, treat browserstack.json and any externally supplied cypress_config_file value as untrusted: reject paths containing ; " $ | & ( ) { } \ (matching the upstream regex /[;"$|&(){}\\]/) before invoking the CLI, and avoid running browserstack-cypress on configs sourced from untrusted PRs or shared artifacts. Side effects are minimal - legitimate config paths almost never contain those metacharacters, though paths with spaces remain valid since space is not in the deny set. Do not attempt to mitigate by quoting/escaping in shell wrappers; the underlying execSync still interprets metacharacters and the fix correctly switches to execFileSync to eliminate the shell entirely.

Share

CVE-2026-48723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy