CVE-2026-49143 - browserstack-runner log handler RCE

browserstack-runner through 0.9.5 exposes a local test HTTP server that can bind on all network interfaces. One unauthenticated handler processes log data through unsafe JavaScript evaluation, which can let a network-adjacent attacker run commands in the developer or CI process. A related advisory, CVE-2026-49144, covers arbitrary file read through the same server’s default file handler.

GitHub lists no patched package version for the RCE. For consuming repositories, the reviewer-ready fix is usually to remove or replace browserstack-runner, purge credentials that may have been exposed during test runs, and ensure any remaining BrowserStack or browser-test server is bound and authenticated like a local development service.

When to use it

  • A repository installs, invokes, vendors, documents, or globally installs browserstack-runner <=0.9.5.
  • BrowserStack credentials, npm tokens, .env files, source files, or test secrets are present during local or CI browser test runs.
  • Self-hosted runners, VPNs, corporate networks, shared CI, or developer machines can expose the local test server to neighboring workloads.
  • You need a bounded PR or triage note that removes or replaces the runner and records credential rotation ownership.

Inputs

  • Node manifests, lockfiles, CI workflows, Dockerfiles, setup docs, shell scripts, vendored code, SBOMs, generated reports, and BrowserStack config.
  • BrowserStack credential sources, adjacent tokens, self-hosted runner network model, test-server bind address, and fork/replacement ownership.
  • Available install, lockfile, tests, BrowserStack/browser-test smoke, build, CI workflow lint, SBOM, and dependency/security scan commands.

Affected versions

Package Vulnerable versions Fixed versions
browserstack-runner <=0.9.5 None listed as of 2026-06-07

Related issue:

CVE Surface Affected versions
CVE-2026-49144 _default HTTP handler path traversal and arbitrary file read browserstack-runner <=0.9.5

Indicator-of-exposure

  • The repository installs or invokes browserstack-runner from package.json, lockfiles, CI scripts, shell scripts, Docker images, global npm install steps, or developer setup docs.
  • BrowserStack credentials, .env files, npm tokens, source files, or test secrets are present in the same project root or process environment during test runs.
  • Test jobs run on shared developer networks, self-hosted runners, VPNs, corporate Wi-Fi, or CI networks where another workload can reach the test server.
  • The repository vendors or forks browserstack-runner code with the same _log or _default handler pattern.

Quick checks:

rg -n "browserstack-runner|browserstack\\.json|BrowserStackLocal|test_server_port|/_log|_default|vm\\.runInNewContext|eval\\(|server\\.listen\\(" .
npm ls browserstack-runner
pnpm why browserstack-runner
yarn why browserstack-runner

Remediation strategy

  • Remove browserstack-runner from manifests, lockfiles, global install scripts, Docker images, and CI jobs, or migrate the affected test workflow to a maintained BrowserStack-compatible runner.
  • Rotate BrowserStack access keys and any tokens that were present in the project root or process environment during vulnerable test runs.
  • If a local vendored fork must be retained temporarily, remove unsafe eval/vm use, require per-worker authentication on every handler, bind the server to 127.0.0.1, validate file paths stay under the intended project root, and add negative tests for unauthenticated handlers.
  • Do not alias to an unreviewed fork just to make a package manager resolution pass. Treat any fork as code that must be patched and tested in this repository.
  • Document containment if removal cannot happen immediately: run only on isolated runners, block inbound access to the test port, remove secrets from browserstack.json, and set a short follow-up date.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-49143 / GHSA-6vr3-7wcx-v5g5, an unauthenticated
RCE in the `browserstack-runner` `_log` HTTP handler. Also account for the
related CVE-2026-49144 arbitrary file-read issue in the same test server.
Produce exactly one output:

- A reviewer-ready PR/change request that removes or replaces
  `browserstack-runner`, rotates exposed test credentials where in scope,
  refreshes generated artifacts, and documents temporary containment, or
- TRIAGE.md if this repository does not control an affected
  `browserstack-runner` installation or invocation.

## Rules

- Scope only CVE-2026-49143, related CVE-2026-49144 checks, and directly
  related BrowserStack test-runner configuration.
- Do not run exploit payloads, command-execution probes, or path-traversal
  reads against developer machines, CI runners, or live services.
- Do not print BrowserStack keys, npm tokens, cookies, `.env` values, SSH keys,
  tenant data, or source snippets from sensitive files.
- Do not replace the package with an unreviewed fork without treating that fork
  as repository-owned code.
- Do not auto-merge.

## Steps

1. Inventory every `browserstack-runner` reference in manifests, lockfiles,
   Dockerfiles, CI workflows, shell scripts, developer setup docs, vendored
   code, and generated dependency reports.
2. Determine whether any controlled environment resolves
   `browserstack-runner <=0.9.5` or vendors equivalent server code.
3. Identify where BrowserStack credentials are sourced and whether project-root
   secrets or environment tokens are present during test runs.
4. If the repository does not install, invoke, or vendor the affected runner,
   stop with `TRIAGE.md` listing checked paths and resolved versions.
5. Prefer removal or migration to a maintained BrowserStack-compatible test
   runner. Update scripts, CI jobs, lockfiles, package-manager metadata, SBOMs,
   Docker layers, and docs.
6. If a temporary fork is unavoidable, patch the owned code:
   - remove `eval` and `vm.runInNewContext` from log handling;
   - authenticate `_log`, `_default`, and every worker-facing handler;
   - bind only to `127.0.0.1` unless an explicit authenticated interface is
     required;
   - resolve file paths with containment checks before serving files;
   - reject traversal, absolute paths, encoded traversal, and symlink escapes;
   - add tests for unauthenticated denial and path containment.
7. Rotate BrowserStack keys and any other tokens that were present in the same
   process or project root if vulnerable runs occurred on shared networks or
   shared runners.
8. Add a PR body section named `CVE-2026-49143 operator actions` that states:
   - where `browserstack-runner` was found;
   - whether it was removed, replaced, or temporarily fork-patched;
   - which credentials need rotation or were rotated;
   - whether CI or developer machines need network containment until rollout;
   - which validation commands passed.
9. Run available validation: package install, lockfile integrity, unit tests,
   BrowserStack or browser-test workflow smoke test, lint/typecheck, build,
   SBOM refresh, dependency/security scans, and CI workflow validation.
10. Use PR title:
    `fix(sec): remediate CVE-2026-49143 in browserstack-runner`.

## Stop conditions

- The repository only mentions BrowserStack products but never installs,
  invokes, or vendors `browserstack-runner`.
- A safe replacement requires product or QA ownership outside this repository;
  document the owner, runner migration target, containment, and follow-up date.
- Credential rotation requires access outside the agent's authority; document
  exact keys and owners without exposing secret values.
- Verification would require executing RCE payloads or reading real files
  through path traversal.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, CI workflow, Docker image, or setup script installs or invokes vulnerable browserstack-runner.
  • If a temporary fork remains, static checks and tests prove no unsafe eval/vm log handler remains, all handlers authenticate, the server binds narrowly, and file serving is path-contained.
  • BrowserStack credentials and adjacent tokens were rotated or assigned to a named owner with a follow-up date.
  • The PR does not rely on an unreviewed package alias or fork to silence scanners.

Output contract

  • Reviewer-ready PR removing or replacing browserstack-runner, or patching an owned temporary fork with authenticated handlers, localhost binding, no unsafe eval/vm, and path-contained file serving.
  • Refreshed manifests, lockfiles, CI jobs, images, SBOMs, docs, and generated dependency reports.
  • Operator notes for credential rotation, runner/network containment, remaining migration owners, and validation commands.
  • TRIAGE.md when replacement, credential rotation, or ownership sits outside this repository.

Watch for

  • Global install steps in CI or setup docs that never appear in package.json.
  • browserstack.json or .env files committed, copied into Docker images, or served from the test root.
  • Self-hosted CI runners where “local dev server” still means reachable from neighboring workloads.
  • Treating the file-read CVE as unrelated when both issues share the same unauthenticated HTTP server.

References