{"id":"CVE-2026-25244","summary":"WebdriverIO has Command Injection in the BrowserStack Service","details":"WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.","aliases":["GHSA-5c46-x3qw-q7j7"],"modified":"2026-07-08T08:12:44.610757592Z","published":"2026-05-18T20:31:14.497Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25244.json","cwe_ids":["CWE-78"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204"},{"type":"WEB","url":"https://github.com/webdriverio/webdriverio/releases/tag/v9.24.0"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25244.json"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-25244"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25244.json"},{"type":"ADVISORY","url":"https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7j7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25244"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2479692"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/webdriverio/webdriverio","events":[{"introduced":"0"},{"fixed":"3d65e986cd0e24f4b1eaf7122d547f0c64ab9a21"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:openjsf:webdriverio:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0"},{"fixed":"9.24.0"}]}}],"versions":["v9.23.3","v9.23.2","v9.23.1","v9.23.0","v9.22.0","v9.21.1","v9.21.0","v9.20.1","v9.20.0","v9.19.2","v9.19.1","v9.19.0","v9.18.4","v9.18.3","v9.18.2","v9.18.1","v9.18.0","v9.17.1","v9.17.0","v9.16.2","v9.16.1","v9.16.0","v9.15.0","v9.14.0","v9.13.0","v9.12.7","v9.12.6","v9.12.5","v9.12.4","v9.12.3","v9.12.2","v9.12.1","v9.12.0","v9.11.0","v9.10.1","v9.10.0","v9.9.3","v9.9.2","v9.9.1","v9.9.0","v9.8.0","v9.7.3","v9.7.2","v9.7.1","v9.7.0","v9.6.4","v9.6.3","v9.6.2","v9.6.1","v9.6.0","v9.5.7","v9.5.6","v9.5.5","v9.5.4","v9.5.3","v9.5.2","v9.5.1","v9.5.0","v9.4.5","v9.4.4","v9.4.3","v9.4.2","v9.4.1","v9.4.0","v9.3.1","v9.3.0","v9.2.15","v9.2.14","v9.2.13","v9.2.12","v9.2.11","v9.2.10","v9.2.9","v9.2.8","v9.2.7","v9.2.6","v9.2.5","v9.2.4","v9.2.3","v9.2.2","v9.2.1","v9.2.0","v9.1.6","v9.1.5","v9.1.4","v9.1.3","v9.1.2","v9.1.1","v9.1.0","v9.0.9","v9.0.8","v9.0.7","v9.0.6","v9.0.5","v9.0.4","v9.0.3","v9.0.2","v9.0.1","v9.0.0","v8.36.0","v9.0.0-alpha.0","v8.32.1","v8.32.0","v8.31.1","v8.31.0","v8.30.0","v8.29.7","v8.29.6","v8.29.5","v8.29.4","v8.29.3","v8.29.2","v8.29.1","v8.29.0","v8.28.8","v8.28.7","v8.28.6","v8.28.5","v8.28.4","v8.28.3","v8.28.2","v8.28.1","v8.28.0","v8.27.2","v8.27.1","v8.27.0","v8.26.3","v8.26.2","v8.26.1","v8.26.0","v8.25.0","v8.24.16","v8.24.15","v8.24.14","v8.24.13","v8.24.12","v8.24.11","v8.24.10","v8.24.9","v8.24.8","v8.24.7","v8.24.6","v8.24.5","v8.24.4","v8.24.3","v8.24.2","v8.24.1","v8.24.0","v8.23.5","v8.23.4","v8.23.3","v8.23.2","v8.23.1","v8.23.0","v8.22.1","v8.22.0","v8.21.0","v8.20.5","v8.20.4","v8.20.3","v8.20.2","v8.20.1","v8.20.0","v8.19.0","v8.18.2","v8.18.1","v8.18.0","v8.17.0","v8.16.22","v8.16.21","v8.16.20","v8.16.19","v8.16.18","v8.16.17","v8.16.16","v8.16.15","v8.16.14","v8.16.13","v8.16.12","v8.16.11","v8.16.10","v8.16.9","v8.16.8","v8.16.7","v8.16.6","v8.16.5","v8.16.4","v8.16.3","v8.16.2","v8.16.1","v8.16.0","v8.15.10","v8.15.9","v8.15.8","v8.15.7","v8.15.6","v8.15.5","v8.15.4","v8.15.3","v8.15.2","v8.15.1","v8.15.0","v8.14.6","v8.14.5","v8.14.4","v8.14.3","v8.14.2","v8.14.1","v8.14.0","v8.13.14","v8.13.13","v8.13.12","v8.13.11","v8.13.10","v8.13.9","v8.13.8","v8.13.7","v8.13.6","v8.13.5","v8.13.4","v8.13.3","v8.13.2","v8.13.1","v8.13.0","v8.12.3","v8.12.2","v8.12.1","v8.12.0","v8.11.4","v8.11.3","v8.11.2","v8.11.1","v8.11.0","v8.10.7","v8.10.6","v8.10.5","v8.10.4","v8.10.3","v8.10.2","v8.10.1","v8.10.0","v8.9.0","v8.8.8","v8.8.7","v8.8.6","v8.8.5","v8.8.4","v7.31.0","v8.8.3","v8.8.2","v8.8.1","v8.8.0","v8.7.0","v8.6.9","v8.6.8","v8.6.7","v8.6.6","v8.6.5","v8.6.4","v8.6.3","v8.6.2","v8.6.1","v8.6.0","v8.5.9","v8.5.8","v8.5.7","v8.5.6","v8.5.5","v8.5.4","v8.5.3","v8.5.2","v8.5.1","v8.5.0","v8.4.0","v8.3.11","v8.3.10","v8.3.9","v8.3.8","v8.3.7","v8.3.6","v8.3.5","v8.3.4","v8.3.3","v8.3.2","v8.3.1","v8.3.0","v8.2.6","v8.2.5","v8.2.4","v8.2.3","v8.2.2","v8.2.1","v8.2.0","v8.1.3","v8.1.2","v8.1.1","v8.1.0","v8.0.15","v8.0.14","v8.0.13","v8.0.12","v8.0.11","v8.0.10","v8.0.9","v8.0.8","v8.0.7","v8.0.6","v8.0.5","v8.0.4","v8.0.3","v8.0.2","v8.0.1","v8.0.0","v7.20.7","v7.20.6","v7.20.5","v7.20.4","v7.20.3","v7.20.2","v7.20.1","v7.20.0","v7.19.7","v7.19.6","v7.19.5","v7.19.4","v7.19.3","v7.19.2","v7.19.1","v7.19.0","v7.18.1","v7.18.0","v7.17.4","v7.17.3","v7.17.2","v7.17.1","v7.17.0","v7.16.16","v7.16.15","v7.16.14","v7.16.13","v7.16.12","v7.16.11","v7.16.10","v7.16.9","v7.16.8","v7.16.7","v7.16.6","v7.16.5","v7.16.4","v7.16.3","v7.16.2","v7.16.1","v7.16.0","v7.15.0","v7.14.1","v7.14.0","v7.13.2","v7.13.1","v7.13.0","v7.12.6","v7.12.5","v7.12.4","v7.12.3","v7.12.2","v7.12.1","v7.12.0","v7.11.1","v7.11.0","v7.10.1","v7.10.0","v7.9.1","v7.9.0","v7.8.0","v7.7.8","v7.7.7","v7.7.6","v7.7.5","v7.7.4","v7.7.3","v7.7.2","v7.7.1","v7.7.0","v7.6.1","v7.6.0","v7.5.7","v7.5.6","v7.5.5","v7.5.4","v7.5.3","v7.5.2","v7.5.1","v7.5.0","v7.4.6","v7.4.5","v7.4.4","v7.4.3","v7.4.2","v7.4.1","v7.4.0","v7.3.1","v7.3.0","v7.2.3","v7.2.2","v7.2.1","v7.2.0","v7.1.2","v7.1.1","v7.1.0","v7.0.9","v7.0.8","v7.0.7","v7.0.6","v7.0.5","v7.0.4","v7.0.3","v7.0.2","v7.0.1","v7.0.0","v7.0.0-beta.4","v7.0.0-beta.3","v7.0.0-beta.2","v7.0.0-beta.1","v7.0.0-beta.0","v6.12.1","v6.12.0","v6.11.4","v6.11.3","v6.11.2","v6.11.1","v6.11.0","v6.10.14","v6.10.13","v6.10.12","v6.10.11","v6.10.10","v6.10.9","v6.10.8","v6.10.7","v6.10.6","v6.10.5","v6.10.4","v6.10.3","v6.10.2","v6.10.1","v6.10.0","v6.9.1","v6.9.0","v6.8.2","v6.8.1","v6.8.0","v6.7.4","v6.7.3","v6.7.2","v6.7.1","v6.7.0","v6.6.8","v6.6.7","v6.6.6","v6.6.5","v6.6.4","v6.6.3","v6.6.2","v6.6.1","v6.6.0","v6.5.2","v6.5.1","v6.5.0","v6.4.7","v6.4.6","v6.4.5","v6.4.4","v6.4.3","v6.4.2","v6.4.1","v6.4.0","v6.3.7","v6.3.6","v6.3.5","v6.3.4","v6.3.3","v6.3.2","v6.3.1","v6.3.0","v6.2.0","v6.1.25","v6.1.24","v6.1.23","v6.1.22","v6.1.21","v6.1.20","v6.1.19","v6.1.18","v6.1.17","v6.1.16-blm4","v6.1.16-blm3","v6.1.16-blm2","v6.1.16","v6.1.15","v6.1.14","v6.1.13","v6.1.12","v6.1.11","v6.1.10","v6.1.9","v6.1.8","v6.1.7","v6.1.6","v6.1.5","v6.1.4","v6.1.3","v6.1.2","v6.1.1","v6.1.0","v6.0.18","v6.0.17","v6.0.16","v6.0.15","v6.0.14","v6.0.13","v6.0.12","v6.0.11","v6.0.10","v6.0.9","v6.0.8","v6.0.7","v6.0.6","v6.0.5","v6.0.4","v6.0.3","v6.0.2","v6.0.1","v6.0.0","v6.0.0-beta.1","v6.0.0-beta.0","v6.0.0-alpha.1","v6.0.0-alpha.0","v5.16.16","v5.16.15","v5.16.14","v5.16.13","v5.16.12","v5.16.11","v5.16.10","v5.16.9","v5.16.7","v5.16.6","v5.16.5","v5.16.4","v5.16.3","v5.16.2","v5.16.1","v5.16.0","v5.15.7","v5.15.6","v5.15.5","v5.15.4","v5.15.3","v5.15.2","v5.15.1","v5.15.0","v5.14.5","v5.14.4","v5.14.3","v5.14.2","v5.14.1","v5.14.0","v5.13.2","v5.13.1","v5.13.0","v5.13.0-alpha.0","v5.12.5","v5.12.4","v5.12.3","v5.12.2","v5.12.1","v5.12.0","v5.11.14","v5.11.13","v5.11.12","v5.11.11","v5.11.10","v5.11.9","v5.11.8","v5.11.7","v5.11.6","v5.11.5","v5.11.4","v5.11.3","v5.11.2","v5.11.1","v5.11.0","v5.10.10","v5.10.9","v5.10.8","v5.10.7","v5.10.6","v5.10.5","v5.10.4","v5.10.3","v5.10.2","v5.10.1","v5.10.0","v5.9.6","v5.9.5","v5.9.4","v5.9.3","v5.9.2","v5.9.1","v5.9.0","v5.8.6","v5.8.5","v5.8.4","v5.8.3","v5.8.2","v5.8.1","v5.8.0","v5.7.16","v5.7.15","v5.7.14","v5.7.13","v5.7.12","v5.7.11","v5.7.10","v5.7.9","v5.7.8","v5.7.7","v5.7.6","v5.7.5","v5.7.4","v5.7.3","v5.7.2","v5.7.1","v5.7.0","v5.6.6","v5.6.5","v5.6.4","v5.6.3","v5.6.2","v5.6.1","v5.6.0","v5.5.0","v5.4.20","v5.4.19","v5.4.18","v5.4.17","v5.4.16","v5.4.15","v5.4.14","v5.4.13","v5.4.12","v5.4.11","v5.4.10","v5.4.9","v5.4.8","v5.4.7","v5.4.6","v5.4.5","v5.4.4","v5.4.3","v5.4.2","v5.4.1","v5.4.0","v5.3.5","v5.3.4","v5.3.3","v5.3.2","v5.3.1","v5.3.0","v5.2.8","v5.2.7","v5.2.6","v5.2.5","v5.2.4","v5.2.3","v5.2.2","v5.2.1","v5.2.0","v5.1.2","v5.1.1","v5.1.0","v5.0.4","v5.0.3","v5.0.2","v5.0.1","v5.0.0","v5.0.0-beta.16","v5.0.0-beta.15","v5.0.0-beta.14","v5.0.0-beta.13","v5.0.0-beta.12","v5.0.0-beta.10","v5.0.0-beta.9","v5.0.0-beta.8","v5.0.0-beta.7","v5.0.0-beta.6","v5.0.0-beta.5","v5.0.0-beta.3","v5.0.0-beta.2","v5.0.0-beta.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25244.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}