CVE-2026-25244 - WebdriverIO BrowserStack branch command injection

@wdio/browserstack-service used git branch names in shell command execution during BrowserStack test orchestration metadata collection. Git branch names can contain characters that shells interpret, so a malicious branch or repository could execute commands on developer machines or CI runners that run WebdriverIO with BrowserStack smart selection.

This is a supply-chain and CI boundary issue: test metadata should never turn a repository-controlled branch name into a shell program.

When to use it

  • A Node repository resolves @wdio/browserstack-service <=9.23.2.
  • WebdriverIO BrowserStack smart selection or git metadata collection runs in CI, local test scripts, release validation, or fork/PR workflows.
  • Branch names, tags, repository paths, or remote URLs can be influenced by untrusted contributors.
  • You need a bounded PR or triage note that upgrades the service and hardens CI command execution.

Inputs

  • Node manifests, lockfiles, WebdriverIO configs, CI workflows, Dockerfiles, SBOMs, generated test docs, and dependency reports.
  • BrowserStack smart-selection settings, credential exposure model, branch policy, and fork/PR workflow rules.
  • Local git metadata helpers, exec/execSync/spawn calls, and any shell interpolation of branch names.
  • Available install, lint/typecheck, WebdriverIO config, unit, CI workflow lint, SBOM, and dependency scan commands.

Affected versions

Package Vulnerable versions Fixed versions
@wdio/browserstack-service <=9.23.2 9.24.0

Indicator-of-exposure

  • The repository depends on @wdio/browserstack-service <=9.23.2.
  • WebdriverIO BrowserStack service is enabled in CI, local test scripts, or release validation.
  • testOrchestrationOptions.runSmartSelection is enabled, or test metadata is collected from git repositories.
  • CI runs tests on untrusted forks, pull requests, branches, or externally supplied repositories.

Quick checks:

rg -n "@wdio/browserstack-service|browserstack|runSmartSelection|testOrchestrationOptions|getGitMetadataForAISelection|execSync|git branch" .
npm ls @wdio/browserstack-service
pnpm why @wdio/browserstack-service
yarn why @wdio/browserstack-service

Remediation strategy

  • Upgrade @wdio/browserstack-service to 9.24.0+.
  • Disable smart selection until patched where the repo cannot upgrade immediately.
  • Replace any local shell-string git metadata calls with safe argv-based process calls.
  • Harden CI so untrusted branch names do not run with secrets or deploy authority.
  • Add regression tests that use hostile branch-name strings without executing a shell.

The prompt

You are remediating CVE-2026-25244 in `@wdio/browserstack-service`. Produce
exactly one output:

- A reviewer-ready PR/change request that upgrades the BrowserStack service,
  refreshes lockfiles and generated artifacts, hardens CI branch handling, and
  adds regression tests, or
- TRIAGE.md if this repository does not control an affected WebdriverIO
  BrowserStack runtime.

## Rules

- Scope only CVE-2026-25244 and directly related CI/git metadata command
  execution hardening.
- Do not create malicious git branches, run shell injection payloads, call out
  to external networks, or write proof files.
- Do not print or commit CI secrets, BrowserStack credentials, environment
  variables, SSH keys, package tokens, or build artifacts.
- Do not keep smart selection enabled on vulnerable versions.
- Do not auto-merge.

## Steps

1. Inventory Node package manifests, lockfiles, WebdriverIO configs, CI
   workflows, Docker images, test helper scripts, BrowserStack credentials
   handling, SBOMs, and docs.
2. Determine every resolved `@wdio/browserstack-service` version. A target is
   vulnerable if it resolves to `<9.24.0`.
3. Search for `testOrchestrationOptions.runSmartSelection`, custom git
   metadata helpers, `execSync`, `exec`, `shell: true`, and branch-name
   interpolation in test tooling.
4. Upgrade `@wdio/browserstack-service` to `9.24.0+`. Regenerate lockfiles,
   package-manager metadata, images, SBOMs, generated test docs, and dependency
   reports.
5. If upgrade is blocked, disable BrowserStack smart selection in CI and local
   scripts until a patched version is available.
6. Harden local code:
   - use `execFile` or `spawn` with argv arrays;
   - never interpolate branch names into shell strings;
   - treat branch, tag, repo path, and remote URL as untrusted input.
7. Harden CI:
   - do not expose BrowserStack keys or deployment secrets to untrusted forks;
   - avoid running privileged test jobs on arbitrary branch names;
   - document which jobs can run for external PRs.
8. Add tests using hostile branch-name strings that assert safe argv handling or
   rejection without invoking a shell.
9. Add a PR body section named `CVE-2026-25244 operator actions` covering:
   affected jobs, before/after package versions, smart-selection posture,
   secrets reachable by old jobs, and whether CI credentials should be rotated.
10. Run validation: package install, WebdriverIO config validation, unit tests,
    lint/typecheck, CI workflow lint, SBOM refresh, and dependency scan.
11. Use PR title:
    `fix(sec): patch WebdriverIO BrowserStack command injection`.

## Stop conditions

- No affected WebdriverIO BrowserStack service is controlled by this repo.
- All controlled targets already resolve `@wdio/browserstack-service >=9.24.0`
  and generated artifacts are current.
- Verification would require executing shell payloads or exposing CI secrets.
- The test workflow must run untrusted branches with secrets; document the owner
  decision required in TRIAGE.md.

Verification - what the reviewer looks for

  • No lockfile, image, SBOM, or CI artifact resolves a vulnerable BrowserStack service.
  • Smart selection is patched or disabled.
  • Branch-name handling uses argv-based process calls or rejects unsafe input.
  • CI secrets are unavailable to untrusted branch contexts.

Output contract

  • Reviewer-ready PR upgrading @wdio/browserstack-service to 9.24.0+, refreshing lockfiles, images, SBOMs, and generated artifacts.
  • CI and helper hardening that removes shell-string branch interpolation or disables smart selection until patched.
  • Regression tests using hostile branch-name strings without executing shell payloads.
  • TRIAGE.md when the repository does not control an affected BrowserStack runtime or cannot safely run privileged tests without secrets exposure.

Watch for

  • BrowserStack configs copied across packages or examples.
  • CI jobs where a dependency bump updates package.json but leaves a stale lockfile or test image.
  • Homegrown git metadata helpers with the same command-string pattern.

References