top of page
perceptive_background_267k.jpg

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attacker…

Published:

1 juni 2026 om 22:00:00

Alert date:

2 juni 2026 om 22:02:38

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

BrowserStack Runner through version 0.9.5 contains a critical remote code execution vulnerability in the /_log HTTP handler. The vulnerability allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON requests. Attackers can exploit the vm.runInNewContext() and eval() functions to escape the Node.js VM sandbox. The attack leverages util.format and this.constructor.constructor to access the host process, achieving full remote code execution without authentication.

Technical details

Mitigation steps:

Affected products:

BrowserStack Runner

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-49143
https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-6vr3-7wcx-v5g5
https://www.vulncheck.com/advisories/browserstack-runner-unauthenticated-rce-via-log-http-handler

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page