browserstack-cypress-cli
CVE-2026-48723
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local CLI ingesting an attacker-supplied config file (AV:L, PR:N), reliable injection (AC:L), victim must run the CLI (UI:R), full RCE in user context gives C/I/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6.
AnalysisAI
OS command injection in BrowserStack's browserstack-cypress-cli versions prior to 1.36.6 allows attackers who control the cypress_config_filepath value to execute arbitrary shell commands in the context of the user running the CLI. The vulnerable loadJsFile() function in readCypressConfigUtil.js interpolated the path into a shell command executed via child_process.execSync(), letting embedded quote and semicolon characters break out of the quoted argument. No public exploit identified at time of analysis, though the upstream commit and added negative tests effectively document the exact payload pattern.
Technical ContextAI
The flaw is a textbook CWE-78 (Improper Neutralization of Special Elements used in an OS Command) in a Node.js CLI distributed on npm. In bin/helpers/readCypressConfigUtil.js, the prior code built a command string with template literals - NODE_PATH="..." node "..." "${cypress_config_filepath}" on POSIX and a set NODE_PATH=...&& variant on Windows - and handed it to child_process.execSync, which always spawns a shell. Because the user-controlled cypress_config_filepath was only wrapped in double quotes with no escaping, characters like ", ;, &, |, backtick, and $() allow the attacker to terminate the quoted argument and append arbitrary shell syntax. The CPE cpe:2.3:a:browserstack:browserstack-cypress-cli:*:*:* covers all versions of the npm package up to the fix. The patch (commit 6dbf8f93) replaces execSync with execFileSync (which spawns node directly with no shell), passes NODE_PATH via the env option, and adds a defense-in-depth validateFilePath() that rejects any path containing ;"$|&(){}\`.
RemediationAI
Upstream fix available (commit 6dbf8f93); upgrade to the patched release published by BrowserStack - the advisory GHSA-fh4c-mffm-8xhf lists 1.36.6, while the CVE record references 1.36.4, so confirm against https://github.com/browserstack/browserstack-cypress-cli/security/advisories/GHSA-fh4c-mffm-8xhf and pin to whichever the vendor publishes. Until upgrade, treat browserstack.json and any externally supplied cypress_config_file value as untrusted: reject paths containing ; " $ | & ( ) { } \ (matching the upstream regex /[;"$|&(){}\\]/) before invoking the CLI, and avoid running browserstack-cypress on configs sourced from untrusted PRs or shared artifacts. Side effects are minimal - legitimate config paths almost never contain those metacharacters, though paths with spaces remain valid since space is not in the deny set. Do not attempt to mitigate by quoting/escaping in shell wrappers; the underlying execSync still interprets metacharacters and the fix correctly switches to execFileSync to eliminate the shell entirely.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today