How is CVE-2026-49143 exploited?

Network reachability (info): The attacker must be on the same adjacent network, LAN, or VPN segment as the host running BrowserStack Runner; the /_log handler is not required to be exposed to the public internet for this attack to succeed. Authentication (not-required): The /_log HTTP handler accepts requests with no credentials; any unauthenticated client on the adjacent network can send the crafted payload. Victim interaction (not-required): The attack is fully automated and requires no action from any user or administrator on the target system. Attack complexity (info): Exploitation is reliable and condition-free once network adjacency is established; the sandbox escape technique via host-context Function references is well-documented and does not depend on race conditions or specific memory layout.

What is the impact of CVE-2026-49143?

Attacker executes arbitrary operating system commands as the user running the BrowserStack Runner process. Attacker reads any file accessible to that process, including environment variables, secrets, and credentials stored on disk. Attacker modifies or deletes files and configurations on the host, corrupting test infrastructure or planting backdoors. Attacker disrupts the BrowserStack Runner service and any dependent CI/CD pipeline steps relying on it.

Back to search

HIGHCVE-2026-49143Published 2026-06-02Modified 2026-06-03CNA VulnCheck

CVE-2026-49143: BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Remote code execution vulnerability in BrowserStack Runner through version 0.9.5. The /_log HTTP handler passes user-supplied JSON request bodies directly into vm.runInNewContext() combined with eval(), allowing an unauthenticated attacker on the same network segment to escape the Node.js vm sandbox and execute arbitrary code on the host system. No authentication is required, and no fix has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle browserstack-runner. Any image found carrying browserstack-runner at or below version 0.9.5 is flagged immediately.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.7 HIGH and weighting it against each environment's compliance policy to determine alert priority. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix version appears upstream.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network, LAN, or VPN segment as the host running BrowserStack Runner; the /_log handler is not required to be exposed to the public internet for this attack to succeed.
AuthenticationNot required
The /_log HTTP handler accepts requests with no credentials; any unauthenticated client on the adjacent network can send the crafted payload.
Victim interactionNot required
The attack is fully automated and requires no action from any user or administrator on the target system.
Attack complexityDetail
Exploitation is reliable and condition-free once network adjacency is established; the sandbox escape technique via host-context Function references is well-documented and does not depend on race conditions or specific memory layout.

Blast Radius

Attacker executes arbitrary operating system commands as the user running the BrowserStack Runner process.
Attacker reads any file accessible to that process, including environment variables, secrets, and credentials stored on disk.
Attacker modifies or deletes files and configurations on the host, corrupting test infrastructure or planting backdoors.
Attacker disrupts the BrowserStack Runner service and any dependent CI/CD pipeline steps relying on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49143 is active and capable of flagging any image carrying browserstack-runner at or below 0.9.5 within minutes of a scan. Because no upstream fix version exists as of the publication date, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as a fix is published. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention. In the meantime, compensating controls worth considering include network-policy isolation that restricts access to the /_log endpoint to trusted CI hosts only, egress filtering to limit lateral movement if the handler is reached, and disabling or removing browserstack-runner from images where it is not actively needed.

See how HarborGuard automates this

Affected packages

browserstack / browserstack-runner
≤ 0.9.5

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified