cbcvebase.
CVE-2026-25244
published 2026-05-18

CVE-2026-25244: WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.80%
84.7th percentile
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
openjsfwebdriverio< 9.24.09.24.0
wdiobrowserstack-service>= 0 < 9.24.09.24.0
webdriveriowebdriverio< 9.24.09.24.0

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable function `getGitMetadataForAISelection()` interpolates Git branch names directly into `execSync()` calls without sanitization — monitor for shell metacharacters in branch names being processed by WebdriverIO test orchestration.
  • Monitor the `testOrchestrationOptions.runSmartSelection.source` configuration option for attacker-controlled repository paths pointing to malicious Git repositories with crafted branch names.
  • Alert on WebdriverIO versions below 9.24.0 running in CI/CD pipelines, particularly where test orchestration (smart selection) is enabled and external/untrusted repositories are processed.
  • Detect shell metacharacters (e.g., `;`, `|`, `$()`, backticks, `&&`) in Git branch names being consumed by Node.js `execSync()` calls during WebdriverIO test runs — these are indicators of active exploitation attempts.
  • In CI/CD environments, watch for unexpected child processes (credential dumping, SSH key reads, outbound exfiltration) spawned from the WebdriverIO test runner process, which may indicate post-exploitation activity.
  • ·Exploitation requires the attacker to control or influence the Git repository being processed (e.g., supply a malicious branch name); this typically requires at least minimal SCM write permissions or the ability to submit a pull request.
  • ·User interaction is required — the vulnerability is triggered when the target checks out the malicious repository or processes a pull request containing the crafted branch name.
  • ·If `testOrchestrationOptions.runSmartSelection.source` is not explicitly set, WebdriverIO falls back to the current working directory, meaning a malicious branch in the local repo is sufficient for exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.