CVE-2026-49143
Remote Code Execution in BrowserStack Runner
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| browserstack | runner | 0.9.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in BrowserStack Runner versions up to 0.9.5 and involves a remote code execution flaw in the /_log HTTP handler.
An unauthenticated attacker who is network-adjacent can send specially crafted JSON request bodies to this handler.
The vulnerability arises because the handler passes user-supplied data to Node.js's vm.runInNewContext() combined with eval(), allowing attackers to escape the sandbox.
By leveraging a host-context Function reference through util.format, attackers can access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary code remotely on the affected system without any authentication.
Such remote code execution can lead to complete compromise of the underlying system, including unauthorized access, data theft, system manipulation, or disruption of services.