Description
The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6.
Published: 2026-06-15
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability occurs in BrowserStack's Cypress CLI when the cypress_config_file parameter is used. The loadJsFile() function builds a shell command by inserting the user‑controlled configuration file path into a template literal and then executes it with child_process.execSync(). Shell metacharacters such as \\" and ; in the file path allow the attacker to break out of the quoted argument and inject arbitrary commands. The result is that any commands supplied by an attacker run with the privileges of the user invoking the CLI, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The issue affects the BrowserStack BrowserStack Cypress CLI for all releases prior to 1.36.4. Versions 1.36.6 and later contain a fix and are not vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high impact vulnerability. The EPSS score is below 1%, suggesting a low probability of widespread exploitation today, and it is not listed in CISA’s KEV catalog. The likely attack vector is a local or CI environment where an attacker can supply a crafted cypress_config_file value to the CLI, enabling arbitrary command execution. The severity profile reaffirms that an attacker who can influence the CLI configuration can effectively take control of the host machine.

Generated by OpenCVE AI on June 16, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BrowserStack Cypress CLI to version 1.36.6 or later.
  • If upgrading is not immediately possible, enforce strict validation of the cypress_config_file path by removing shell metacharacters and restricting it to a trusted directory.
  • Run the CLI in a restricted environment with the least privileges necessary, and monitor child_process execution for unexpected commands.

Generated by OpenCVE AI on June 16, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6.
Title BrowserStack Cypress CL: Command Injection via cypress_config_file leads to arbitrary code execution through malicious browserstack.json
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T13:37:20.032Z

Reserved: 2026-05-22T18:47:27.756Z

Link: CVE-2026-48723

cve-icon Vulnrichment

Updated: 2026-06-16T13:34:30.989Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T23:16:45.520

Modified: 2026-06-16T15:46:16.230

Link: CVE-2026-48723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:15:03Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')