DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-49143: CVE-2026-49143: Unauthenticated Remote Code Execution in browserstack-runner

#security #cve #cybersecurity

CVE-2026-49143: Unauthenticated Remote Code Execution in browserstack-runner

Vulnerability ID: CVE-2026-49143
CVSS Score: 8.8
Published: 2026-06-03

An unauthenticated remote code execution (RCE) vulnerability exists in the browserstack-runner npm package (versions up to and including 0.9.5). The flaw lies in the /_log HTTP endpoint handler, which evaluates user-supplied input within a non-secure Node.js VM context combined with dynamic eval() execution. Network-adjacent attackers can exploit this behavior to escape the sandbox and execute arbitrary system commands on the host machine.

TL;DR

Unauthenticated remote code execution vulnerability in browserstack-runner <= 0.9.5 via a sandbox escape in the /_log HTTP handler.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94: Improper Control of Generation of Code ('Code Injection')
  • Attack Vector: Adjacent Network
  • CVSS v3.1 Score: 8.8
  • CVSS v4.0 Score: 8.7
  • Exploit Status: poc
  • KEV Status: Not Listed
  • Impact: High (Complete Confidentiality, Integrity, and Availability Loss)

Affected Systems

  • Workstations running browserstack-runner configurations locally
  • Continuous integration (CI/CD) runners executing automated cross-browser suites
  • Local development servers utilizing browserstack-runner <= 0.9.5
  • browserstack-runner: <= 0.9.5

Exploit Details

  • VulnCheck Advisory Portal: Exploit confirmation outlining VM sandbox escape methodologies and unauthenticated target commands.

Mitigation Strategies

  • Avoid using Node.js standard vm modules or eval() routines to parse user-controlled input.
  • Restrict HTTP listener bindings in lib/server.js to 127.0.0.1 instead of 0.0.0.0 to prevent adjacent network access.
  • Introduce token-based session validation checks on the /_log endpoint to reject unauthenticated requests.

Remediation Steps:

  1. Open the file lib/server.js within the browserstack-runner installation directory.
  2. Locate the route definition mapping to the /_log handler.
  3. Replace the call to vm.runInNewContext() and eval() with a safe mapping function that stringifies or sanitizes arguments.
  4. Modify the HTTP listen configuration to specify host '127.0.0.1' rather than binding to all network interfaces.

References

Read the full report for CVE-2026-49143 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)