CVE-2026-25244— WebdriverIO has Command Injection in the BrowserStack Service
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| webdriverio | webdriverio | < 9.24.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25244
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WebdriverIO has Command Injection in the BrowserStack Service
Source: NVD (National Vulnerability Database)
Vulnerability Description
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
webdriverio 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
webdriverio是WebdriverIO开源的一款浏览器和移动端自动化测试框架。 WebdriverIO 9.24.0之前版本存在操作系统命令注入漏洞,该漏洞源于getGitMetadataForAISelection函数未清理分支名直接插入execSync调用,可能导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| webdriverio | webdriverio | < 9.24.0 | - |
II. Public POCs for CVE-2026-25244
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 9665 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-25244
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-25244 (1)
Vendor Advisories for CVE-2026-25244 (1)
Vendor Pages for CVE-2026-25244 (1)
- 🔗 Release v9.24.0 · webdriverio/webdriverio · GitHubx_refsource_MISC
IV. Related Vulnerabilities
Same weakness: CWE-78
- CVE-2026-55748
OpenStack Horizon <25.7.4 命令注入漏洞 - CVE-2026-55743
OpenHuman desktop agent shell tool sandbox bypass leads to a - CVE-2026-53876
RadiX AX6600 OS命令注入漏洞 - CVE-2026-11409
OS Command Injection in IPv6 PPPoE Configuration in TP-Link - CVE-2026-11410
OS Command Injection in BigPond Cable (BPA) Configuration in
V. Comments for CVE-2026-25244
No comments yet