CVE-2026-25244: WebdriverIO BrowserStack Service has a Command Injection issue
A command injection vulnerability exists in @wdio/browserstack-service that allows remote code execution (RCE) when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection payloads.
References
- github.com/advisories/GHSA-5c46-x3qw-q7j7
- github.com/webdriverio/webdriverio
- github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts
- github.com/webdriverio/webdriverio/releases/tag/v9.24.0
- github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7j7
- nvd.nist.gov/vuln/detail/CVE-2026-25244
Code Behaviors & Features
Detect and mitigate CVE-2026-25244 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →