Skip to main content

BrowserStack Runner CVE-2026-49144

| EUVD-2026-34031 HIGH
Path Traversal (CWE-22)
2026-06-02 VulnCheck GHSA-8rpw-6cqh-2v9h
Path Traversal Browserstack Runner
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 02, 2026 - 21:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 02, 2026 - 21:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 02, 2026 - 21:22 vuln.today
cvss_changed
Severity Changed
Jun 02, 2026 - 21:22 NVD
MEDIUM HIGH
CVSS changed
Jun 02, 2026 - 21:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jun 02, 2026 - 21:20 vuln.today

DescriptionCVE.org

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files.

AnalysisAI

Arbitrary file disclosure in BrowserStack Runner versions through 0.9.5 allows unauthenticated network-adjacent attackers to read sensitive files outside the project root by abusing a path traversal flaw in the default HTTP handler of lib/server.js. Because the embedded test server binds on all interfaces by default, any attacker on the same network segment (Wi-Fi, VLAN, or shared LAN) can retrieve source code, credentials, or environment files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join shared LAN/Wi-Fi as developer
Delivery
Scan for BrowserStack Runner HTTP port
Exploit
Send GET with ../ traversal sequence
Execution
_default handler reads file outside project root
Impact
Exfiltrate credentials, source, and dotfiles
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a victim actively running BrowserStack Runner ≤ 0.9.5, since the vulnerable HTTP server only listens during a test execution window, (2) network-adjacent reachability to the host - the CVSS AV:A and the description's 'bound on all interfaces' together mean same-LAN/VLAN/Wi-Fi reachability is sufficient but routed Internet access is not, and (3) the attacker knowing or scanning for the ephemeral listening port. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) scores 7.1 and accurately captures the real risk: adjacent-network attack vector, low complexity, no privileges or user interaction required, and high confidentiality impact with no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario While a developer runs BrowserStack Runner on a corporate laptop connected to guest Wi-Fi, an attacker on the same subnet scans for the listening test server port and sends a crafted HTTP GET such as /../../../../Users/dev/.aws/credentials, which the _default handler resolves outside the project root and returns. The attacker harvests cloud keys, SSH private keys, and source files in seconds; no authentication, user interaction, or public exploit code is required because the traversal pattern is trivial.
Remediation Upgrade to the patched release published by BrowserStack as referenced in GHSA-8rpw-6cqh-2v9h; the advisory data confirms a fix is available upstream but a specific fixed release version is not independently confirmed in the supplied intelligence, so consult the advisory directly for the exact tag. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all BrowserStack Runner installations, identify versions, and restrict test server access to trusted networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49144 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy