Description
BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.
Published: 2026-06-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BrowserStack Runner versions up to 0.9.5 expose the "/_log" HTTP handler to unauthenticated remote code execution. The flaw allows an attacker to craft a JSON request that is forwarded directly to the Node.js VM sandbox via vm.runInNewContext() combined with eval(). By leveraging a host‑context Function reference through util.format, attackers can escape the sandbox and obtain a reference to the host process, ultimately executing arbitrary code on the underlying system.

Affected Systems

All installations of BrowserStack Runner running version 0.9.5 or earlier are affected. The vulnerable component is the "_/log" HTTP handler provided by the BrowserStack Runner server.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. Attackers with network access adjacent to the host can exploit the flaw without any authentication, by submitting a specially crafted JSON payload to the vulnerable endpoint. Because the EPSS is not available and the issue is not listed in the CISA KEV catalog, the exact exploitation probability is unknown, but the critical nature of the flaw and the lack of authentication requirements make it a high‑risk target for attackers.

Generated by OpenCVE AI on June 3, 2026 at 04:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest BrowserStack Runner update that removes the vulnerable code in the "/_log" handler.
  • If an immediate upgrade is not feasible, restrict network access to the "/_log" endpoint using firewall rules or equivalent network segmentation to prevent unauthenticated access.
  • Review the application’s input handling to ensure that eval() and vm.runInNewContext() are not exposed to untrusted data, and consider removing or sanitizing these calls in any custom deployment.

Generated by OpenCVE AI on June 3, 2026 at 04:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Browserstack
Browserstack browserstack-runner
Vendors & Products Browserstack
Browserstack browserstack-runner

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.
Title BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Browserstack Browserstack-runner
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-03T14:02:38.017Z

Reserved: 2026-05-27T17:40:12.739Z

Link: CVE-2026-49143

cve-icon Vulnrichment

Updated: 2026-06-03T14:02:28.593Z

cve-icon NVD

Status : Received

Published: 2026-06-02T21:16:28.070

Modified: 2026-06-03T14:16:45.433

Link: CVE-2026-49143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:47Z

Weaknesses