Description
BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files.
Published: 2026-06-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in the _default HTTP handler of BrowserStack Runner. The bug allows attackers to supply crafted file paths to the server, causing the application to read files outside the intended project directory. Because there is no authentication guard, the flaw leads directly to confidentiality compromise by exposing arbitrary local files. The core weakness is classified as CWE‑22.

Affected Systems

The vulnerability affects all BrowserStack Runner versions up to and including 0.9.5. The product is identified by the CNA as browserstack:browserstack-runner and is hosted in a Node.js environment where the server binds to all network interfaces.

Risk and Exploitability

With a CVSS score of 7.1, the exploit presents a high medium risk. The EPSS is not available, and the issue is not listed in the CISA KEV catalog, indicating no current known exploitation data. Attackers can reach the vulnerable server via any network interface that the HTTP listener exposes, so the likely attack vector is a local or network‑adjacent threat actor who can connect to the machine running the runner. Given the lack of authentication, a simple HTTP request is sufficient to read sensitive files, making the risk significant for any host exposing BrowserStack Runner to the network.

Generated by OpenCVE AI on June 3, 2026 at 04:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BrowserStack Runner to a version that fixes the path traversal flaw or apply the vendor-released patch if available.
  • If an upgrade is not immediately possible, configure the HTTP server to listen only on localhost or restrict access with firewall rules to trusted hosts.
  • Disable or remove the default HTTP handler and any exposed file service until a secure version is deployed.

Generated by OpenCVE AI on June 3, 2026 at 04:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Browserstack
Browserstack browserstack-runner
Vendors & Products Browserstack
Browserstack browserstack-runner

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files.
Title BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Browserstack Browserstack-runner
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-03T14:25:18.128Z

Reserved: 2026-05-27T17:40:12.739Z

Link: CVE-2026-49144

cve-icon Vulnrichment

Updated: 2026-06-03T14:24:15.767Z

cve-icon NVD

Status : Received

Published: 2026-06-02T21:16:28.230

Modified: 2026-06-03T16:16:31.183

Link: CVE-2026-49144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:45Z

Weaknesses