BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

Advisories

BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

severity: high
date: 6/2/2026
Affecting: BrowserStack Runner <= 0.9.5
An affected version range remains undefined
CVE: CVE-2026-49143
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: GitHub Security Advisory (GHSA-6vr3-7wcx-v5g5)
Credit: Christ Bouchuen
Description: BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo