CVE-2026-49143 - browserstack-runner log handler RCE
browserstack-runner through 0.9.5 exposes a local test HTTP server that can
bind on all network interfaces. One unauthenticated handler processes log data
through unsafe JavaScript evaluation, which can let a network-adjacent attacker
run commands in the developer or CI process. A related advisory,
CVE-2026-49144, covers arbitrary file read through the same server’s default
file handler.
GitHub lists no patched package version for the RCE. For consuming
repositories, the reviewer-ready fix is usually to remove or replace
browserstack-runner, purge credentials that may have been exposed during test
runs, and ensure any remaining BrowserStack or browser-test server is bound and
authenticated like a local development service.
When to use it
- A repository installs, invokes, vendors, documents, or globally installs
browserstack-runner <=0.9.5. - BrowserStack credentials, npm tokens,
.envfiles, source files, or test secrets are present during local or CI browser test runs. - Self-hosted runners, VPNs, corporate networks, shared CI, or developer machines can expose the local test server to neighboring workloads.
- You need a bounded PR or triage note that removes or replaces the runner and records credential rotation ownership.
Inputs
- Node manifests, lockfiles, CI workflows, Dockerfiles, setup docs, shell scripts, vendored code, SBOMs, generated reports, and BrowserStack config.
- BrowserStack credential sources, adjacent tokens, self-hosted runner network model, test-server bind address, and fork/replacement ownership.
- Available install, lockfile, tests, BrowserStack/browser-test smoke, build, CI workflow lint, SBOM, and dependency/security scan commands.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
browserstack-runner |
<=0.9.5 |
None listed as of 2026-06-07 |
Related issue:
| CVE | Surface | Affected versions |
|---|---|---|
CVE-2026-49144 |
_default HTTP handler path traversal and arbitrary file read |
browserstack-runner <=0.9.5 |
Indicator-of-exposure
- The repository installs or invokes
browserstack-runnerfrompackage.json, lockfiles, CI scripts, shell scripts, Docker images, global npm install steps, or developer setup docs. - BrowserStack credentials,
.envfiles, npm tokens, source files, or test secrets are present in the same project root or process environment during test runs. - Test jobs run on shared developer networks, self-hosted runners, VPNs, corporate Wi-Fi, or CI networks where another workload can reach the test server.
- The repository vendors or forks
browserstack-runnercode with the same_logor_defaulthandler pattern.
Quick checks:
rg -n "browserstack-runner|browserstack\\.json|BrowserStackLocal|test_server_port|/_log|_default|vm\\.runInNewContext|eval\\(|server\\.listen\\(" .
npm ls browserstack-runner
pnpm why browserstack-runner
yarn why browserstack-runner
Remediation strategy
- Remove
browserstack-runnerfrom manifests, lockfiles, global install scripts, Docker images, and CI jobs, or migrate the affected test workflow to a maintained BrowserStack-compatible runner. - Rotate BrowserStack access keys and any tokens that were present in the project root or process environment during vulnerable test runs.
- If a local vendored fork must be retained temporarily, remove unsafe
eval/vmuse, require per-worker authentication on every handler, bind the server to127.0.0.1, validate file paths stay under the intended project root, and add negative tests for unauthenticated handlers. - Do not alias to an unreviewed fork just to make a package manager resolution pass. Treat any fork as code that must be patched and tested in this repository.
- Document containment if removal cannot happen immediately: run only on
isolated runners, block inbound access to the test port, remove secrets from
browserstack.json, and set a short follow-up date.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-49143 / GHSA-6vr3-7wcx-v5g5, an unauthenticated
RCE in the `browserstack-runner` `_log` HTTP handler. Also account for the
related CVE-2026-49144 arbitrary file-read issue in the same test server.
Produce exactly one output:
- A reviewer-ready PR/change request that removes or replaces
`browserstack-runner`, rotates exposed test credentials where in scope,
refreshes generated artifacts, and documents temporary containment, or
- TRIAGE.md if this repository does not control an affected
`browserstack-runner` installation or invocation.
## Rules
- Scope only CVE-2026-49143, related CVE-2026-49144 checks, and directly
related BrowserStack test-runner configuration.
- Do not run exploit payloads, command-execution probes, or path-traversal
reads against developer machines, CI runners, or live services.
- Do not print BrowserStack keys, npm tokens, cookies, `.env` values, SSH keys,
tenant data, or source snippets from sensitive files.
- Do not replace the package with an unreviewed fork without treating that fork
as repository-owned code.
- Do not auto-merge.
## Steps
1. Inventory every `browserstack-runner` reference in manifests, lockfiles,
Dockerfiles, CI workflows, shell scripts, developer setup docs, vendored
code, and generated dependency reports.
2. Determine whether any controlled environment resolves
`browserstack-runner <=0.9.5` or vendors equivalent server code.
3. Identify where BrowserStack credentials are sourced and whether project-root
secrets or environment tokens are present during test runs.
4. If the repository does not install, invoke, or vendor the affected runner,
stop with `TRIAGE.md` listing checked paths and resolved versions.
5. Prefer removal or migration to a maintained BrowserStack-compatible test
runner. Update scripts, CI jobs, lockfiles, package-manager metadata, SBOMs,
Docker layers, and docs.
6. If a temporary fork is unavoidable, patch the owned code:
- remove `eval` and `vm.runInNewContext` from log handling;
- authenticate `_log`, `_default`, and every worker-facing handler;
- bind only to `127.0.0.1` unless an explicit authenticated interface is
required;
- resolve file paths with containment checks before serving files;
- reject traversal, absolute paths, encoded traversal, and symlink escapes;
- add tests for unauthenticated denial and path containment.
7. Rotate BrowserStack keys and any other tokens that were present in the same
process or project root if vulnerable runs occurred on shared networks or
shared runners.
8. Add a PR body section named `CVE-2026-49143 operator actions` that states:
- where `browserstack-runner` was found;
- whether it was removed, replaced, or temporarily fork-patched;
- which credentials need rotation or were rotated;
- whether CI or developer machines need network containment until rollout;
- which validation commands passed.
9. Run available validation: package install, lockfile integrity, unit tests,
BrowserStack or browser-test workflow smoke test, lint/typecheck, build,
SBOM refresh, dependency/security scans, and CI workflow validation.
10. Use PR title:
`fix(sec): remediate CVE-2026-49143 in browserstack-runner`.
## Stop conditions
- The repository only mentions BrowserStack products but never installs,
invokes, or vendors `browserstack-runner`.
- A safe replacement requires product or QA ownership outside this repository;
document the owner, runner migration target, containment, and follow-up date.
- Credential rotation requires access outside the agent's authority; document
exact keys and owners without exposing secret values.
- Verification would require executing RCE payloads or reading real files
through path traversal.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, CI workflow, Docker image, or setup script
installs or invokes vulnerable
browserstack-runner. - If a temporary fork remains, static checks and tests prove no unsafe
eval/vmlog handler remains, all handlers authenticate, the server binds narrowly, and file serving is path-contained. - BrowserStack credentials and adjacent tokens were rotated or assigned to a named owner with a follow-up date.
- The PR does not rely on an unreviewed package alias or fork to silence scanners.
Output contract
- Reviewer-ready PR removing or replacing
browserstack-runner, or patching an owned temporary fork with authenticated handlers, localhost binding, no unsafeeval/vm, and path-contained file serving. - Refreshed manifests, lockfiles, CI jobs, images, SBOMs, docs, and generated dependency reports.
- Operator notes for credential rotation, runner/network containment, remaining migration owners, and validation commands.
TRIAGE.mdwhen replacement, credential rotation, or ownership sits outside this repository.
Watch for
- Global install steps in CI or setup docs that never appear in
package.json. browserstack.jsonor.envfiles committed, copied into Docker images, or served from the test root.- Self-hosted CI runners where “local dev server” still means reachable from neighboring workloads.
- Treating the file-read CVE as unrelated when both issues share the same unauthenticated HTTP server.
Related recipes
- CVE-2026-25244 WebdriverIO BrowserStack command injection
- Source code supply-chain build integrity audit
- CVE intelligence intake gate
References
- GitHub Advisory: https://github.com/advisories/GHSA-6vr3-7wcx-v5g5
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49143
- Related GitHub Advisory: https://github.com/advisories/GHSA-8rpw-6cqh-2v9h
- Related NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49144