CVE-2026-25244
published 2026-05-18CVE-2026-25244: WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.80%
84.7th percentile
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openjsf | webdriverio | < 9.24.0 | 9.24.0 |
| wdio | browserstack-service | >= 0 < 9.24.0 | 9.24.0 |
| webdriverio | webdriverio | < 9.24.0 | 9.24.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable function `getGitMetadataForAISelection()` interpolates Git branch names directly into `execSync()` calls without sanitization — monitor for shell metacharacters in branch names being processed by WebdriverIO test orchestration. ↗
- →Monitor the `testOrchestrationOptions.runSmartSelection.source` configuration option for attacker-controlled repository paths pointing to malicious Git repositories with crafted branch names. ↗
- →Alert on WebdriverIO versions below 9.24.0 running in CI/CD pipelines, particularly where test orchestration (smart selection) is enabled and external/untrusted repositories are processed. ↗
- →Detect shell metacharacters (e.g., `;`, `|`, `$()`, backticks, `&&`) in Git branch names being consumed by Node.js `execSync()` calls during WebdriverIO test runs — these are indicators of active exploitation attempts. ↗
- →In CI/CD environments, watch for unexpected child processes (credential dumping, SSH key reads, outbound exfiltration) spawned from the WebdriverIO test runner process, which may indicate post-exploitation activity. ↗
- ·Exploitation requires the attacker to control or influence the Git repository being processed (e.g., supply a malicious branch name); this typically requires at least minimal SCM write permissions or the ability to submit a pull request. ↗
- ·User interaction is required — the vulnerability is triggered when the target checks out the malicious repository or processes a pull request containing the crafted branch name. ↗
- ·If `testOrchestrationOptions.runSmartSelection.source` is not explicitly set, WebdriverIO falls back to the current working directory, meaning a malicious branch in the local repo is sufficient for exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WebdriverIO up to 9.23.x getGitMetadataForAISelection os command injection (GHSA-5c46-x3qw-q7j7)
vuldb·2026-05-19·CVSS 9.8
CVE-2026-25244 [CRITICAL] WebdriverIO up to 9.23.x getGitMetadataForAISelection os command injection (GHSA-5c46-x3qw-q7j7)
A vulnerability labeled as critical has been found in WebdriverIO up to 9.23.x. This issue affects the function getGitMetadataForAISelection. The manipulation results in os command injection.
This vulnerability is known as CVE-2026-25244. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
GHSA
WebdriverIO BrowserStack Service has a Command Injection issue
ghsa·2026-05-11
CVE-2026-25244 [CRITICAL] CWE-78 WebdriverIO BrowserStack Service has a Command Injection issue
WebdriverIO BrowserStack Service has a Command Injection issue
### Summary
A command injection vulnerability exists in `@wdio/browserstack-service` that allows remote code execution (RCE) when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection payloads.
### Details
_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._
### Vulnerable Code
**File**: https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204
### Root Cause
User-controlled git branch names are directly interpolated into `execSync()` calls
Red Hat
WebdriverIO: WebdriverIO: Remote Code Execution via command injection in Git branch name processing
vendor_redhat·2026-05-18·CVSS 9.8
CVE-2026-25244 [CRITICAL] CWE-78 WebdriverIO: WebdriverIO: Remote Code Execution via command injection in Git branch name processing
WebdriverIO: WebdriverIO: Remote Code Execution via command injection in Git branch name processing
A flaw was found in WebdriverIO. A remote attacker can exploit a command injection vulnerability by crafting a malicious Git repository with a specially named branch. This branch name, containing shell metacharacters, is unsafely processed during test orchestration. This allows for remote code execution on affected systems, potentially leading to the disclosure of sensitive information, system compromise, and supply chain attacks.
Statement: This vulnerability is rated as Important by Red Hat. Successful exploitation requires the attacker to gain access to or influence the Git repository being processed to supply a malicious branch name; this generally requires at least minimal permissions
No detection rules found.
No public exploits indexed.
https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204https://github.com/webdriverio/webdriverio/releases/tag/v9.24.0https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7j7https://access.redhat.com/security/cve/CVE-2026-25244https://bugzilla.redhat.com/show_bug.cgi?id=2479692https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7j7https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25244.json
2026-05-18
Published