CVE-2026-49144
Path Traversal in BrowserStack Runner
Publication date: 2026-06-02
Last updated on: 2026-06-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| browserstack | runner | 0.9.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to read arbitrary files, including potentially sensitive files, by exploiting a path traversal flaw in BrowserStack Runner. This unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Specifically, the ability to access sensitive files without authentication undermines confidentiality requirements mandated by these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.
Can you explain this vulnerability to me?
This vulnerability exists in BrowserStack Runner versions up to 0.9.5. It is a path traversal flaw in the _default HTTP handler within the lib/server.js file. This flaw allows unauthenticated attackers who are network-adjacent to exploit the HTTP server, which listens on all interfaces, to traverse directories outside the intended project root. As a result, attackers can read arbitrary files on the system.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can read sensitive files on the affected system without any authentication. This could lead to exposure of confidential information, configuration files, or other sensitive data that resides outside the project root directory.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the BrowserStack Runner HTTP server is running and bound to all network interfaces (0.0.0.0) without authentication, which allows unauthenticated access.
You can attempt to detect exploitation by sending HTTP requests that try to access sensitive files via path traversal sequences in the URL, such as requesting paths like '/../etc/passwd' or '/../browserstack.json'.
Example commands to test for this vulnerability include using curl or wget to request sensitive files through the HTTP server:
- curl http://<target-ip>:<port>/../etc/passwd
- curl http://<target-ip>:<port>/../browserstack.json
- wget http://<target-ip>:<port>/../etc/passwd -O -
Additionally, you can scan your network for hosts running the BrowserStack Runner HTTP server on all interfaces and check for unauthenticated access.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict the HTTP server to bind only to localhost (127.0.0.1) instead of all interfaces (0.0.0.0) to prevent network-adjacent attackers from accessing it.
- Add authentication to the _default HTTP handler to prevent unauthenticated access.
- Validate and sanitize all user-controlled input paths to ensure they do not traverse outside the intended project root directory.
Since no fixed version range has been defined yet, these configuration and code changes are critical to reduce exposure.