HIGH 8.8

CVE-2026-49143: BrowserStack Runner Remote Code Execution (CVSS 8.8)

BrowserStack Runner versions up to 0.9.5 contain a critical remote code execution flaw in its /_log HTTP handler. An unauthenticated attacker on the local network can send specially crafted JSON requests to execute arbitrary code on the server without providing credentials. The vulnerability stems from unsafe use of Node.js sandbox features combined with eval(), which allows attackers to break out of the sandbox and gain full system access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the /_log HTTP endpoint, which accepts JSON payloads and passes unsanitized user input directly to vm.runInNewContext() combined with eval(). This creates a code injection vector. More critically, attackers can leverage util.format and prototype chain manipulation (this.constructor.constructor) to obtain a reference to the host Function constructor, bypassing the intended Node.js vm sandbox isolation. This grants access to the host process context and enables unrestricted remote code execution with the privileges of the BrowserStack Runner process.

Business impact

Successful exploitation allows complete compromise of systems running BrowserStack Runner. Attackers can read sensitive data, modify test configurations, inject malicious code into build pipelines, or pivot to other infrastructure. Organizations using BrowserStack Runner in CI/CD environments face particular risk, as compromised runners could inject malicious artifacts into production builds or exfiltrate source code and credentials stored in the environment.

Affected systems

BrowserStack Runner version 0.9.5 and earlier are affected. Verify your installed version against the vendor advisory to confirm exposure. The vulnerability requires network adjacency but no authentication, making it exploitable by any attacker with local network access to the affected host.

Exploitability

The attack is straightforward to execute: an attacker crafts a malicious JSON payload targeting the /_log handler and sends it over HTTP from the local network. No authentication is required, and the resulting code execution is immediate and unrestricted. The low complexity and accessibility of the attack vector elevate practical risk despite the network-adjacency requirement.

Remediation

Upgrade BrowserStack Runner to a patched version released after the CVE publication date. Verify the specific patch version against the official vendor advisory. As an interim mitigation, restrict network access to BrowserStack Runner instances using firewall rules or network segmentation to limit exposure to trusted systems only.

Patch guidance

Contact BrowserStack or consult their security advisories for the specific patched version addressing CVE-2026-49143. Apply updates according to your standard change management process. Test updates in a non-production environment first, particularly if BrowserStack Runner is critical to your build pipeline.

Detection guidance

Monitor for HTTP POST requests to the /_log endpoint, especially those originating from unexpected network sources. Look for JSON payloads containing eval-like patterns, constructor chains, or references to Function or prototype manipulation. Endpoint detection and response (EDR) tools should flag suspicious child process spawning from BrowserStack Runner processes, as exploitation typically results in shell execution.

Why prioritize this

This vulnerability scores 8.8 (HIGH) due to high impact (confidentiality, integrity, availability), low attack complexity, and absence of authentication requirements. Although network adjacency is required, organizations with BrowserStack Runner exposed to broader networks face meaningful risk. The presence in active CI/CD pipelines amplifies business criticality. Prioritize patching systems in production or DMZ environments.

Risk score, explained

CVSS 3.1 score of 8.8 reflects: Attack Vector (Adjacent Network) — reduces from 9.9 if remotely exploitable but remains serious; Attack Complexity (Low) — trivial to execute; Privileges Required (None) — no credentials needed; User Interaction (None) — automatic exploitation; Scope (Unchanged) — impact limited to the affected system; Confidentiality/Integrity/Availability (High) — complete system compromise. The absence of KEV status and exploit prevalence data does not diminish the practical severity; organizations should treat this as urgent.

Frequently asked questions

Do I need network access to the BrowserStack Runner host to exploit this?

Yes, the attack requires network adjacency—the attacker must be able to send HTTP requests to the affected host. However, this includes any system that can reach it, including compromised containers, build agents on the same network, or hosts with poor network segmentation.

Does this vulnerability affect BrowserStack's cloud platform?

This CVE is specific to BrowserStack Runner, the self-hosted component. Verify with BrowserStack whether their cloud infrastructure uses Runner internally and, if so, whether it is affected. Self-hosted deployments are the primary concern.

What should I do if I cannot patch immediately?

Implement network-level controls: restrict inbound access to BrowserStack Runner to known, trusted systems only; place it behind a firewall or within a VPN; disable or disable the /_log handler if possible via configuration; and monitor for exploitation attempts. These are stopgaps only—patching remains essential.

Can this be exploited from the internet if the host has a public IP?

The CVSS vector specifies 'Adjacent Network,' which typically means the local network segment. However, if BrowserStack Runner is inadvertently exposed on a public IP and accessible to the internet, the practical attack surface expands significantly. Audit your network topology immediately.

This analysis is provided for informational purposes and reflects the CVE record and CVSS scoring as of the publication and modification dates listed. Patch versions and specific vendor remediation guidance should be verified directly with BrowserStack's official security advisories and documentation. Organizations should conduct internal risk assessments based on their deployment architecture and network exposure. No exploit proof-of-concept code is provided; responsible disclosure practices must be followed. SEC.co makes no warranty regarding the accuracy or completeness of this intelligence relative to the actual vulnerability behavior in all deployment contexts. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).