BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

8.7 / 10

HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

AI Analysis

Unauthenticated remote code execution vulnerability in BrowserStack Runner through 0.9.5 via /_log HTTP handler

Basic Information

ID CVE-2026-49143

Source VulnCheck

Published Jun 2, 2026 at 20:31

Affected Product

Vendor browserstack

Product browserstack-runner

Affected Versions browserstack browserstack-runner 0

CWE Classification

CWE-94

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor BrowserStack

Product BrowserStack Runner

Version 0.9.5

References

{
    "lastseen": "",
    "description": "BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.",
    "published": "2026-06-02T20:31:16.903Z",
    "modified": "2026-06-02T20:31:16.903Z",
    "type": "cve",
    "title": "BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler",
    "source": "VulnCheck",
    "references": "https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-6vr3-7wcx-v5g5\nhttps://www.vulncheck.com/advisories/browserstack-runner-unauthenticated-rce-via-log-http-handler",
    "id": "CVE-2026-49143",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "browserstack browserstack-runner 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "browserstack-runner",
    "version": "0",
    "vendor": "browserstack",
    "ai_description": "Unauthenticated remote code execution vulnerability in BrowserStack Runner through 0.9.5 via /_log HTTP handler",
    "ai_severity": "High",
    "ai_vendor": "BrowserStack",
    "ai_product": "BrowserStack Runner",
    "ai_version": "0.9.5",
    "ai_score": 8.7
}

BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler_CVE-2026-49143