CRITICAL🇵🇱 Wersja polska

CVE-2026-25244

CVSS 9.8v3.1pub. 2026-05-18upd. 2026-06-30

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.

🤖 AI Analysis
How it works

The getGitMetadataForAISelection() function retrieves Git branch names and interpolates them directly into execSync() calls without any input sanitization (CWE-78). Since Git allows branch names containing shell metacharacters, an attacker can prepare a malicious repository with an appropriately crafted branch name containing a payload. The malicious repository can be provided via the testOrchestrationOptions.runSmartSelection.source option, or if this option is not set, the attacker can influence the current working directory. The system shell then interprets the injected metacharacters as commands and executes them with the privileges of the process running the tests.

Impact

An attacker can execute arbitrary code on the victim's machine, which leads to disclosure of credentials and secrets, exfiltration of source code and SSH keys, system compromise, and supply chain attacks through manipulation of build artifacts.

Mitigation & patch

WebdriverIO should be updated to version 9.24.0 or newer, in which the issue has been fixed. Patches are available in the official manufacturer's repository on GitHub (tag v9.24.0).

Who is affected

WebdriverIO (package @wdio/browserstack-service) in all versions below 9.24.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Openjsf Webdriverio

    APP
    Openjsf
    < 9.24.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2026-13676HIGH7.5ten sam vendor

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family U...

CVE-2026-10796HIGH7.5ten sam vendor

nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the con...

CVE-2026-6322HIGH7.5ten sam vendor

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitte...

CVE-2026-6321HIGH7.5ten sam vendor

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its n...

CVE-2025-57349HIGH7.5ten sam vendor

The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is v...