Description
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.
Published: 2026-05-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WebdriverIO versions prior to 9.24.0 contain a command injection flaw in the BrowserStack service’s test orchestration logic, which interprets Git branch names via execSync without sanitization. The flaw, classified as CWE‑78, enables an attacker who can supply a malicious repository or branch name to trigger arbitrary shell commands during test execution. This results in remote code execution on the machine running the tests, potentially exposing credentials, secrets, source code, and SSH keys to the attacker.

Affected Systems

The vulnerability affects the WebdriverIO WebdriverIO framework, specifically configurations that use the BrowserStack service for test orchestration. All releases earlier than version 9.24.0 are vulnerable. Users running CI/CD pipelines or local developer environments that execute WebdriverIO tests with the BrowserStack service should verify whether a vulnerable version is in use.

Risk and Exploitability

The CVSS base score is 9.8, indicating a high likelihood of exploitation under realistic conditions. No EPSS score is publicly available, but the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a repository with a crafted branch name that is ingested by the test orchestration code; therefore, the attack vector is primarily local to the CI/CD or developer machine that runs WebdriverIO, although a malicious repository could be used remotely to infect a shared CI environment.

Generated by OpenCVE AI on May 18, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WebdriverIO to version 9.24.0 or later.
  • If an update cannot be applied immediately, disable the runSmartSelection feature or restrict testOrchestrationOptions.runSmartSelection.source to a trusted repository that does not accept unvalidated branch names.
  • Implement input validation or sanitization for Git branch names before they are passed to execSync, or replace execSync with a safer API that does not invoke a shell.

Generated by OpenCVE AI on May 18, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5c46-x3qw-q7j7 WebdriverIO BrowserStack Service has a Command Injection issue
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 19 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Openjsf
Openjsf webdriverio
CPEs cpe:2.3:a:openjsf:webdriverio:*:*:*:*:*:node.js:*:*
Vendors & Products Openjsf
Openjsf webdriverio

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Webdriverio
Webdriverio webdriverio
Vendors & Products Webdriverio
Webdriverio webdriverio

Mon, 18 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.
Title WebdriverIO has Command Injection in the BrowserStack Service
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openjsf Webdriverio
Webdriverio Webdriverio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T12:58:50.420Z

Reserved: 2026-01-30T14:44:47.330Z

Link: CVE-2026-25244

cve-icon Vulnrichment

Updated: 2026-05-19T12:58:24.614Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-18T21:16:39.547

Modified: 2026-05-19T21:08:29.203

Link: CVE-2026-25244

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-18T20:31:14Z

Links: CVE-2026-25244 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T08:18:37Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')