CVE-2026-25244
Command Injection vulnerability in browserstack-service (npm)
What is CVE-2026-25244 About?
This command injection vulnerability in `@wdio/browserstack-service` allows remote code execution (RCE) by processing unsanitized git branch names in test orchestration. An attacker can create a malicious git repository with a specially crafted branch name containing shell command payloads. This allows for remote code execution on CI/CD servers or developer machines, and is relatively easy to exploit through a malicious repository.
Affected Software
Technical Details
The @wdio/browserstack-service package is vulnerable to command injection because user-controlled git branch names are directly interpolated into execSync() calls without proper sanitization. Git branch names, which can contain special characters, are processed by getGitMetadataForAISelection(). An attacker can create a git repository with a branch name such as main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED. When WebdriverIO is configured to use this malicious repository (either explicitly via testOrchestrationOptions.runSmartSelection.source or implicitly if it's the current directory), the execSync() function interprets the special characters in the branch name as shell commands, leading to remote code execution. This can compromise CI/CD servers or developer machines.
What is the Impact of CVE-2026-25244?
Successful exploitation may allow attackers to execute arbitrary code on CI/CD servers or developer machines, leading to remote code execution, information disclosure, data exfiltration, system compromise, and supply chain attacks.
What is the Exploitability of CVE-2026-25244?
Exploitation of this vulnerability is of low to medium complexity. It requires an attacker to create a malicious git repository with a specially crafted branch name and then convince a user to configure WebdriverIO to use this repository. No authentication is explicitly required for the command injection itself, as it occurs during the processing of a git branch name, but the attacker needs to provide the malicious repository. Privilege requirements are those of the user or system account running the WebdriverIO process. This is a remote vulnerability as the malicious input (git repository) can be controlled remotely. The main special condition is the use of @wdio/browserstack-service with testOrchestrationOptions.runSmartSelection.enabled activated. The risk is significantly increased in development or CI/CD pipelines that pull from untrusted git repositories or where users might inadvertently configure WebdriverIO with a malicious source.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-25244?
Available Upgrade Options
- @wdio/browserstack-service
- <9.24.0 → Upgrade to 9.24.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7j7
- https://github.com/webdriverio/webdriverio/releases/tag/v9.24.0
- https://github.com/webdriverio/webdriverio
- https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204
- https://osv.dev/vulnerability/GHSA-5c46-x3qw-q7j7
What are Similar Vulnerabilities to CVE-2026-25244?
Similar Vulnerabilities: CVE-2023-29007 , CVE-2023-29008 , CVE-2023-29011 , CVE-2023-29012 , CVE-2023-38038
