CVE-2026-25244 - WebdriverIO BrowserStack branch command injection
@wdio/browserstack-service used git branch names in shell command execution
during BrowserStack test orchestration metadata collection. Git branch names can
contain characters that shells interpret, so a malicious branch or repository
could execute commands on developer machines or CI runners that run WebdriverIO
with BrowserStack smart selection.
This is a supply-chain and CI boundary issue: test metadata should never turn a repository-controlled branch name into a shell program.
When to use it
- A Node repository resolves
@wdio/browserstack-service <=9.23.2. - WebdriverIO BrowserStack smart selection or git metadata collection runs in CI, local test scripts, release validation, or fork/PR workflows.
- Branch names, tags, repository paths, or remote URLs can be influenced by untrusted contributors.
- You need a bounded PR or triage note that upgrades the service and hardens CI command execution.
Inputs
- Node manifests, lockfiles, WebdriverIO configs, CI workflows, Dockerfiles, SBOMs, generated test docs, and dependency reports.
- BrowserStack smart-selection settings, credential exposure model, branch policy, and fork/PR workflow rules.
- Local git metadata helpers,
exec/execSync/spawncalls, and any shell interpolation of branch names. - Available install, lint/typecheck, WebdriverIO config, unit, CI workflow lint, SBOM, and dependency scan commands.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
@wdio/browserstack-service |
<=9.23.2 |
9.24.0 |
Indicator-of-exposure
- The repository depends on
@wdio/browserstack-service <=9.23.2. - WebdriverIO BrowserStack service is enabled in CI, local test scripts, or release validation.
testOrchestrationOptions.runSmartSelectionis enabled, or test metadata is collected from git repositories.- CI runs tests on untrusted forks, pull requests, branches, or externally supplied repositories.
Quick checks:
rg -n "@wdio/browserstack-service|browserstack|runSmartSelection|testOrchestrationOptions|getGitMetadataForAISelection|execSync|git branch" .
npm ls @wdio/browserstack-service
pnpm why @wdio/browserstack-service
yarn why @wdio/browserstack-service
Remediation strategy
- Upgrade
@wdio/browserstack-serviceto9.24.0+. - Disable smart selection until patched where the repo cannot upgrade immediately.
- Replace any local shell-string git metadata calls with safe argv-based process calls.
- Harden CI so untrusted branch names do not run with secrets or deploy authority.
- Add regression tests that use hostile branch-name strings without executing a shell.
The prompt
You are remediating CVE-2026-25244 in `@wdio/browserstack-service`. Produce
exactly one output:
- A reviewer-ready PR/change request that upgrades the BrowserStack service,
refreshes lockfiles and generated artifacts, hardens CI branch handling, and
adds regression tests, or
- TRIAGE.md if this repository does not control an affected WebdriverIO
BrowserStack runtime.
## Rules
- Scope only CVE-2026-25244 and directly related CI/git metadata command
execution hardening.
- Do not create malicious git branches, run shell injection payloads, call out
to external networks, or write proof files.
- Do not print or commit CI secrets, BrowserStack credentials, environment
variables, SSH keys, package tokens, or build artifacts.
- Do not keep smart selection enabled on vulnerable versions.
- Do not auto-merge.
## Steps
1. Inventory Node package manifests, lockfiles, WebdriverIO configs, CI
workflows, Docker images, test helper scripts, BrowserStack credentials
handling, SBOMs, and docs.
2. Determine every resolved `@wdio/browserstack-service` version. A target is
vulnerable if it resolves to `<9.24.0`.
3. Search for `testOrchestrationOptions.runSmartSelection`, custom git
metadata helpers, `execSync`, `exec`, `shell: true`, and branch-name
interpolation in test tooling.
4. Upgrade `@wdio/browserstack-service` to `9.24.0+`. Regenerate lockfiles,
package-manager metadata, images, SBOMs, generated test docs, and dependency
reports.
5. If upgrade is blocked, disable BrowserStack smart selection in CI and local
scripts until a patched version is available.
6. Harden local code:
- use `execFile` or `spawn` with argv arrays;
- never interpolate branch names into shell strings;
- treat branch, tag, repo path, and remote URL as untrusted input.
7. Harden CI:
- do not expose BrowserStack keys or deployment secrets to untrusted forks;
- avoid running privileged test jobs on arbitrary branch names;
- document which jobs can run for external PRs.
8. Add tests using hostile branch-name strings that assert safe argv handling or
rejection without invoking a shell.
9. Add a PR body section named `CVE-2026-25244 operator actions` covering:
affected jobs, before/after package versions, smart-selection posture,
secrets reachable by old jobs, and whether CI credentials should be rotated.
10. Run validation: package install, WebdriverIO config validation, unit tests,
lint/typecheck, CI workflow lint, SBOM refresh, and dependency scan.
11. Use PR title:
`fix(sec): patch WebdriverIO BrowserStack command injection`.
## Stop conditions
- No affected WebdriverIO BrowserStack service is controlled by this repo.
- All controlled targets already resolve `@wdio/browserstack-service >=9.24.0`
and generated artifacts are current.
- Verification would require executing shell payloads or exposing CI secrets.
- The test workflow must run untrusted branches with secrets; document the owner
decision required in TRIAGE.md.
Verification - what the reviewer looks for
- No lockfile, image, SBOM, or CI artifact resolves a vulnerable BrowserStack service.
- Smart selection is patched or disabled.
- Branch-name handling uses argv-based process calls or rejects unsafe input.
- CI secrets are unavailable to untrusted branch contexts.
Output contract
- Reviewer-ready PR upgrading
@wdio/browserstack-serviceto9.24.0+, refreshing lockfiles, images, SBOMs, and generated artifacts. - CI and helper hardening that removes shell-string branch interpolation or disables smart selection until patched.
- Regression tests using hostile branch-name strings without executing shell payloads.
TRIAGE.mdwhen the repository does not control an affected BrowserStack runtime or cannot safely run privileged tests without secrets exposure.
Watch for
- BrowserStack configs copied across packages or examples.
- CI jobs where a dependency bump updates
package.jsonbut leaves a stale lockfile or test image. - Homegrown git metadata helpers with the same command-string pattern.
Related recipes
- Vulnerable dependency remediation
- Source code supply-chain build integrity audit
- CVE intelligence intake gate
References
- GitHub Advisory: https://github.com/advisories/GHSA-5c46-x3qw-q7j7
- Vendor advisory: https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7j7
- WebdriverIO 9.24.0 release: https://github.com/webdriverio/webdriverio/releases/tag/v9.24.0