Jun 3, 2026·6 min read·31 visits
Unauthenticated remote code execution vulnerability in browserstack-runner <= 0.9.5 via a sandbox escape in the /_log HTTP handler.
An unauthenticated remote code execution (RCE) vulnerability exists in the browserstack-runner npm package (versions up to and including 0.9.5). The flaw lies in the /_log HTTP endpoint handler, which evaluates user-supplied input within a non-secure Node.js VM context combined with dynamic eval() execution. Network-adjacent attackers can exploit this behavior to escape the sandbox and execute arbitrary system commands on the host machine.
The npm package browserstack-runner is designed to facilitate automated cross-browser testing by establishing a local HTTP server that communicates test status and logs back to the testing execution framework. By default, this HTTP daemon binds to all network interfaces (0.0.0.0) on port 8888. This configuration exposes the internal API endpoint handlers directly to any system residing on the same local area network or adjacent network segment.
While several critical endpoints within the runner server enforce authentication checks (such as verifying worker session UUIDs), the /_log HTTP handler lacks any form of access control or identity validation. This omission permits unauthenticated users on the adjacent network to interact directly with the endpoint.
When a POST request is made to /_log, the server accepts a JSON-formatted request body containing a sequence of log arguments. The server processes these arguments using dangerous evaluation primitives, leading directly to a code execution vector. The combination of unrestricted network exposure and insecure processing mechanics forms the basis of the security boundary failure.
The root cause of CVE-2026-49143 lies in the execution of unsanitized input within Node.js's native vm module, augmented by a nested call to eval(). Standard Node.js vm contexts do not establish a secure isolation boundary. The Node.js documentation explicitly states that the vm module is not a security mechanism and must not be used to run untrusted code.
The vulnerability is located in lib/server.js (lines 491–515). When a request is received on the /_log route, the application extracts the user-supplied query.arguments array and places it directly into the execution context. The application then attempts to evaluate each entry within a dynamic execution string mapped inside the sandbox.
Sandbox isolation is bypassed through two primary mechanisms. First, the application passes a host-context function reference (util.format) into the context configuration. Because this function originates from outside the sandbox, its constructor property references the global Function constructor of the parent Node.js process. Second, even in the absence of explicit function leakage, JavaScript prototype inheritance allows context navigation. An attacker can access the prototype of standard objects within the sandbox, such as this.constructor.constructor, to retrieve the host-level Function constructor. This constructor can then instantiate and execute arbitrary code in the host's main execution loop.
The vulnerable code path is implemented in lib/server.js as follows:
// lib/server.js - Lines 504-510 (Vulnerable Implementation)
var context = { input: query.arguments, format: util.format, output: '' };
var tryEvalOrString = 'function (arg) { try { return eval(\'o = \' + arg); } catch (e) { return arg; } }';
vm.runInNewContext('output = format.apply(null, input.map(' + tryEvalOrString + '));', context);The input array (query.arguments) maps directly to the input property inside the VM context. The string tryEvalOrString represents a JavaScript function that performs direct execution using eval('o = ' + arg). When vm.runInNewContext executes, it evaluates this mapping function over every index in the user-supplied input.
Because the format property points to the host's util.format library, the context is contaminated with a direct pathway back to the Node.js root runtime. The system processes the input inside the helper function via string concatenation in eval(), executing any arbitrary JavaScript statements embedded inside the query.arguments strings.
There is no validation or sanitization applied to query.arguments before it enters the tryEvalOrString execution loop. As a result, the sandbox environment is neutralized, permitting direct interaction with host system binaries.
Exploitation of CVE-2026-49143 requires three conditions: network access to the port on which browserstack-runner is listening, the absence of network firewalls blocking incoming connections, and an active runner server instance.
An attacker constructs a JSON payload containing an injection string targeting the array index of the arguments key. The objective of the injection is to escape the local scope, navigate to the parent constructor, retrieve the process global object, and invoke the operating system shell using the child_process module.
The payload retrieves the host context via the prototype constructor hierarchy. The string this.constructor.constructor("return process")() resolves to the master Node.js process object. From there, the attacker chains a call to require('child_process') and executes command-line binaries via synchronous execution methods.
curl -s http://<target_ip>:8888/_log \
-H "Content-Type: application/json" \
-d '{"arguments":["this.constructor.constructor(\"return process.mainModule.require(\\\`child_process\\\`).execSync(\\\`id\\\`).toString()\")()"]}'When the runner server parses this payload, it executes the payload within the nested helper context. The server subsequently returns a response or prints the execution results directly to the process log buffer, exposing the output of the local command execution back to the attacker.
The security impact of CVE-2026-49143 is rated high, with a CVSS v3.1 base score of 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability allows complete compromise of the workstation or build server executing the runner.
Because developers and continuous integration (CI) pipelines frequently run automated testing processes with high privileges, exploiting this vulnerability provides access to sensitive development environments. This includes access to environment variables, local source code, configuration files, cloud credentials, and private SSH/API keys.
The execution context inherits the user permissions of the shell running the Node.js application. If the developer runs the test suite with administrative or root privileges, the compromised environment inherits those credentials. This can lead to system-wide compromise or lateral movement within local corporate networks.
The recommended solution to resolve CVE-2026-49143 is to refactor the logging execution mechanism to eliminate dynamic interpretation engines. The system must not use eval() or vm.runInNewContext() to process logging strings.
To remediate this behavior locally, replace the sandbox processing chain with safe formatting and serialization functions. Converting log arguments directly to string representations prevents execution commands from being interpreted as program logic:
// Safe logging replacement
var safeOutput = query.arguments.map(function(arg) {
return typeof arg === 'object' ? JSON.stringify(arg) : String(arg);
}).join(' ');Additionally, restrict the network exposure of the HTTP daemon. Configure the server application to bind exclusively to 127.0.0.1 instead of 0.0.0.0 in lib/server.js. This binding modification restricts access to the local machine, preventing exploitation attempts from adjacent hosts over local networks or shared Wi-Fi connections.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
browserstack-runner browserstack | <= 0.9.5 | - |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| Attack Vector | Adjacent Network |
| CVSS v3.1 Score | 8.8 |
| CVSS v4.0 Score | 8.7 |
| Exploit Status | poc |
| KEV Status | Not Listed |
| Impact | High (Complete Confidentiality, Integrity, and Availability Loss) |
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes the input before executing it.
A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.
An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.
CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.
A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.