{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/browserstack/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@wdio/browserstack-service (\u003c= 9.23.2)"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","supply-chain"],"_cs_type":"threat","_cs_vendors":["BrowserStack"],"content_html":"\u003cp\u003eA critical command injection vulnerability, tracked as CVE-2026-25244, has been identified in the \u003ccode\u003e@wdio/browserstack-service\u003c/code\u003e npm package, specifically affecting versions 9.23.2 and earlier. The vulnerability stems from the improper handling of git branch names within the test orchestration functionality. An attacker can exploit this flaw by crafting a malicious git repository with a branch name containing shell command injection payloads. When WebdriverIO processes this repository, the unsanitized branch name is passed to \u003ccode\u003eexecSync()\u003c/code\u003e, leading to arbitrary command execution on the system. This poses a significant risk to CI/CD environments and developer workstations, potentially leading to complete system compromise and supply chain attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a malicious git repository, crafting a branch name embedded with shell command injection payloads (e.g., \u003ccode\u003emain;touch${IFS}/tmp/pwned.txt;echo${IFS}PWNED\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker configures WebdriverIO to utilize the malicious repository, either explicitly through \u003ccode\u003etestOrchestrationOptions.runSmartSelection.source\u003c/code\u003e or implicitly by placing the repository in the current working directory.\u003c/li\u003e\n\u003cli\u003eWebdriverIO initiates test orchestration, triggering the \u003ccode\u003egetGitMetadataForAISelection()\u003c/code\u003e function within the \u003ccode\u003e@wdio/browserstack-service\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetGitMetadataForAISelection()\u003c/code\u003e function retrieves the malicious branch name from the git repository.\u003c/li\u003e\n\u003cli\u003eThe retrieved branch name, containing the injected shell commands, is directly interpolated into an \u003ccode\u003eexecSync()\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecSync()\u003c/code\u003e function executes the crafted shell command, leading to arbitrary code execution on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, enabling them to perform actions such as creating files, modifying system configurations, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage the compromised system for lateral movement, further compromising the network or modifying build artifacts for a supply chain attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-25244 can result in Remote Code Execution on CI/CD servers or developer machines. This allows attackers to perform Information Disclosure by accessing environment variables, secrets, and credentials. Further impact includes Data Exfiltration of source code, SSH keys, and configuration files, System Compromise through backdoor installation and lateral movement, and Supply Chain Attacks through modification of build artifacts. All versions of \u003ccode\u003e@wdio/browserstack-service\u003c/code\u003e up to and including 9.23.2 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@wdio/browserstack-service\u003c/code\u003e to a version higher than 9.23.2 to remediate CVE-2026-25244.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for git branch names to prevent command injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to facilitate detection and investigation of command injection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T17:55:09Z","date_published":"2026-05-11T17:55:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-webdriverio-cmd-injection/","summary":"A command injection vulnerability (CVE-2026-25244) in `@wdio/browserstack-service` allows remote code execution (RCE) by processing malicious git branch names in test orchestration, where an attacker can inject shell commands via a crafted git repository.","title":"WebdriverIO BrowserStack Service Command Injection Vulnerability (CVE-2026-25244)","url":"https://feed.craftedsignal.io/briefs/2026-05-webdriverio-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — BrowserStack","version":"https://jsonfeed.org/version/1.1"}