Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/CVE-2026-49143.md

Created June 3, 2026 22:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/0a4fd57da163f29a224f9f12ea16fb50 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/0a4fd57da163f29a224f9f12ea16fb50 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2026-49143: CVE-2026-49143: Unauthenticated Remote Code Execution in browserstack-runner - CVE Security Report
Raw
CVE-2026-49143.md

CVE-2026-49143: CVE-2026-49143: Unauthenticated Remote Code Execution in browserstack-runner

CVSS Score: 8.8 Published: 2026-06-03 Full Report: https://cvereports.com/reports/CVE-2026-49143

Summary

An unauthenticated remote code execution (RCE) vulnerability exists in the browserstack-runner npm package (versions up to and including 0.9.5). The flaw lies in the /_log HTTP endpoint handler, which evaluates user-supplied input within a non-secure Node.js VM context combined with dynamic eval() execution. Network-adjacent attackers can exploit this behavior to escape the sandbox and execute arbitrary system commands on the host machine.

TL;DR

Unauthenticated remote code execution vulnerability in browserstack-runner <= 0.9.5 via a sandbox escape in the /_log HTTP handler.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-94: Improper Control of Generation of Code ('Code Injection')
  • Attack Vector: Adjacent Network
  • CVSS v3.1 Score: 8.8
  • CVSS v4.0 Score: 8.7
  • Exploit Status: poc
  • KEV Status: Not Listed
  • Impact: High (Complete Confidentiality, Integrity, and Availability Loss)

Affected Systems

  • Workstations running browserstack-runner configurations locally
  • Continuous integration (CI/CD) runners executing automated cross-browser suites
  • Local development servers utilizing browserstack-runner <= 0.9.5
  • browserstack-runner: <= 0.9.5

Mitigation

  • Avoid using Node.js standard vm modules or eval() routines to parse user-controlled input.
  • Restrict HTTP listener bindings in lib/server.js to 127.0.0.1 instead of 0.0.0.0 to prevent adjacent network access.
  • Introduce token-based session validation checks on the /_log endpoint to reject unauthenticated requests.

Remediation Steps:

  1. Open the file lib/server.js within the browserstack-runner installation directory.
  2. Locate the route definition mapping to the /_log handler.
  3. Replace the call to vm.runInNewContext() and eval() with a safe mapping function that stringifies or sanitizes arguments.
  4. Modify the HTTP listen configuration to specify host '127.0.0.1' rather than binding to all network interfaces.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment