CVE-2026-49144

An unauthenticated, network-adjacent attacker can exploit the HTTP server, which binds to all interfaces (0.0.0.0) and lacks authentication, to read arbitrary files. By sending a crafted URL containing path traversal sequences (e.g., `../../../etc/hostname`), the attacker can trick the server into serving files from outside the intended project directory [ref_id=1]. The `--path-as-is` flag in curl is noted as necessary because curl normalizes such sequences by default, but other HTTP clients may not [ref_id=1].

The vulnerability resides in the `_default` handler within `lib/server.js`. Specifically, lines 530–534 show the handler constructing a file path using `path.join(process.cwd(), uri)`. The `uri` is derived from `url.parse(request.url).pathname`, which preserves `../` sequences. No boundary check is performed before calling `handleFile` with the potentially malicious `filePath` [ref_id=1]. The server binding on all interfaces is configured in `bin/cli.js` at line 131 [ref_id=1].

The suggested fix involves validating that the resolved file path, after joining with the current working directory, starts with the current working directory path. If the path attempts to traverse outside the project root, the server should return a 'Forbidden' error (403) instead of serving the file. Additionally, it is recommended to bind the server to `127.0.0.1` and implement authentication for the default handler to mitigate the vulnerability [ref_id=1].

Step 1: Start the server by navigating to the browserstack-runner directory, creating a dummy HTML file (`_poc_test.html`), a `browserstack.json` configuration file, and running `node bin/runner.js`. Step 2: Use `curl` with the `--path-as-is` flag to request sensitive files, such as `http://127.0.0.1:8888/../../../etc/hostname` or `http://127.0.0.1:8888/../../../etc/passwd`, to observe the file disclosure [ref_id=1].