WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.
The getGitMetadataForAISelection() function retrieves Git branch names and interpolates them directly into execSync() calls without any input sanitization (CWE-78). Since Git allows branch names containing shell metacharacters, an attacker can prepare a malicious repository with an appropriately crafted branch name containing a payload. The malicious repository can be provided via the testOrchestrationOptions.runSmartSelection.source option, or if this option is not set, the attacker can influence the current working directory. The system shell then interprets the injected metacharacters as commands and executes them with the privileges of the process running the tests.
An attacker can execute arbitrary code on the victim's machine, which leads to disclosure of credentials and secrets, exfiltration of source code and SSH keys, system compromise, and supply chain attacks through manipulation of build artifacts.
WebdriverIO should be updated to version 9.24.0 or newer, in which the issue has been fixed. Patches are available in the official manufacturer's repository on GitHub (tag v9.24.0).
WebdriverIO (package @wdio/browserstack-service) in all versions below 9.24.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenjsf Webdriverio
APPOpenjsf< 9.24.0
Related vulnerabilities
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family U...
nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the con...
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitte...
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its n...
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is v...