Skip to main content

BrowserStack Runner EUVD-2026-34029

| CVE-2026-49143 HIGH
Code Injection (CWE-94)
2026-06-02 VulnCheck GHSA-6vr3-7wcx-v5g5
RCE Code Injection Node.js
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Re-analysis Queued
Jun 02, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 02, 2026 - 21:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
Jun 02, 2026 - 21:21 vuln.today

DescriptionCVE.org

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

AnalysisAI

Remote code execution in BrowserStack Runner through version 0.9.5 allows network-adjacent unauthenticated attackers to execute arbitrary code on the host system by sending crafted JSON to the /_log HTTP handler. The flaw stems from unsafe use of vm.runInNewContext() combined with eval(), and a known sandbox-escape technique via util.format and this.constructor.constructor enables full host compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain adjacent network access to victim host
Delivery
Discover BrowserStack Runner /_log port
Exploit
Send crafted JSON to /_log handler
Install
Trigger vm.runInNewContext with eval payload
C2
Escape sandbox via this.constructor.constructor
Execute
Execute arbitrary code as runner user
Impact
Exfiltrate credentials and source code
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The victim must be running BrowserStack Runner 0.9.5 or earlier with its local HTTP server listening on a network interface reachable to the attacker - the CVSS AV:A constraint means the attacker must be on the same Layer-2 / adjacent network segment (same VLAN, Wi-Fi, or virtual subnet), not arbitrary internet routes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates adjacent-network reachability, low complexity, no authentication, no user interaction, and full CIA impact - a serious profile mitigated only by the AV:A (adjacent) scope, meaning the attacker must be on the same broadcast/L2 segment or able to reach the local listening port. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same office LAN, coffee-shop Wi-Fi, or co-tenant cloud subnet as a developer running BrowserStack Runner sends a single crafted POST to the /_log endpoint with a JSON payload designed to traverse this.constructor.constructor via util.format. The payload escapes the Node.js vm sandbox and executes arbitrary commands as the developer's user, allowing the attacker to exfiltrate source code, SSH keys, cloud credentials, and BrowserStack API tokens from the host. …
Remediation Upgrade to a fixed release of BrowserStack Runner as published in GHSA-6vr3-7wcx-v5g5 at https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-6vr3-7wcx-v5g5; a specific fixed version is not explicitly stated in the provided data, so consult the GHSA advisory for the exact patched version (patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running BrowserStack Runner 0.9.5 and earlier; assess criticality of test workflows dependent on this tool. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2025-71329 HIGH POC
8.7 Jun 10

Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to per
CVE-2025-71330 HIGH POC
8.7 Jun 10

Denial of service in the image-size Node.js library (versions up to and including 2.0.2) allows remote unauthenticated a
CVE-2026-53633 CRITICAL
9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

Share

EUVD-2026-34029 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy