CVE-2026-25244
WebdriverIO Command Injection RCE Vulnerability
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openjsf | webdriverio | to 9.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables remote code execution on CI/CD servers and developer machines, which can lead to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts.
Such impacts can result in unauthorized access to sensitive data and systems, potentially violating data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA.
Therefore, organizations using affected versions of WebdriverIO may face compliance risks due to the possibility of data breaches and compromised system integrity.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to remote code execution on CI/CD servers and developer machines.
- Disclosure of credentials and secrets
- Exfiltration of source code and SSH keys
- Full system compromise
- Supply chain attacks through tampered build artifacts
Can you explain this vulnerability to me?
This vulnerability exists in WebdriverIO versions below 9.24.0, a test automation framework. It is a command injection flaw that allows remote code execution (RCE) during test orchestration.
The issue arises because Git branch names, which can contain shell metacharacters, are interpolated directly into execSync() calls by the function getGitMetadataForAISelection() without proper sanitization.
An attacker can exploit this by providing a malicious repository or branch name containing a payload that gets executed by the shell, leading to arbitrary code execution.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade WebdriverIO to version 9.24.0 or later, where the issue has been fixed.
Avoid using repositories with branch names containing shell metacharacters, as these can be exploited to execute arbitrary code.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WebdriverIO installation is a version below 9.24.0, as these versions contain the command injection flaw.
To detect potential exploitation or presence of malicious branch names, you can inspect git branch names in your repositories for suspicious shell metacharacters or commands.
- Run the command `git branch -a` in your project directories to list all branches and look for unusual characters such as semicolons, backticks, or other shell metacharacters.
- Use a command like `git branch -a | grep -E '[;&|`$]'` to filter branch names containing common shell metacharacters that could be used for command injection.
Additionally, monitor your CI/CD logs and environment for unexpected commands or files created by injected payloads, such as the presence of files like `/tmp/pwned.txt` which is a known example payload.