CVE-2026-49144: Unauthenticated Arbitrary File Read via Path Traversal in BrowserStack Runner
Vulnerability ID: CVE-2026-49144
CVSS Score: 7.1
Published: 2026-06-03
An unauthenticated path traversal vulnerability in BrowserStack Runner versions up to and including 0.9.5 allows remote or adjacent network attackers to read arbitrary files from the host system. The flaw exists within the local HTTP test server's fallback and patch file handlers, which fail to sanitize path inputs before passing them to file resolution APIs.
TL;DR
BrowserStack Runner through 0.9.5 permits unauthenticated remote file disclosure due to lack of path sanitization in its internal HTTP server handlers.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Adjacent Network (AV:A)
- CVSS v4 Score: 7.1 (High)
- EPSS Score: 0.00024
- Impact: Arbitrary File Disclosure
- Exploit Status: PoC
- KEV Status: Not Listed
Affected Systems
- BrowserStack Runner host systems running versions <= 0.9.5
-
BrowserStack Runner: <= 0.9.5 (Fixed in:
None)
Exploit Details
- VulnCheck: Exploit maturity analysis and details regarding the unauthenticated HTTP path traversal vulnerability.
Mitigation Strategies
- Implement server-side path resolution sanitization ensuring requested files remain within intended directories.
- Bind the local HTTP test server strictly to the loopback interface (127.0.0.1) instead of 0.0.0.0.
Remediation Steps:
- Inspect the local test runner setup to check if 'browserstack-runner' is being used.
- Integrate isSafePath validation code into lib/server.js as detailed in the technical patch section.
- Configure local firewalls to deny external inbound connections to test server ports (default 3000).
References
- NVD - CVE-2026-49144 Detail
- GitHub Security Advisory GHSA-8rpw-6cqh-2v9h
- VulnCheck Security Advisory
Read the full report for CVE-2026-49144 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)