CVE-2026-49143: browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTT…

Summary The HTTP handler /_log in lib/server.js (lines 491–515) of browserstack-runner passes unauthenticated user-supplied data to vm.runInNewContext() combined with eval(), enabling a sandbox escape and arbitrary code…

8.8CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-49143
Vendor	npm
Affected Product	browserstack-runner
Vulnerability Type	Vulnerability
CVSS Score	8.8 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Summary The HTTP handler `/_log` in `lib/server.js` (lines 491–515) of browserstack-runner passes unauthenticated user-supplied data to `vm.runInNewContext()` combined with `eval()`, enabling a sandbox escape and arbitrary code execution on the host system.

Details When `browserstack-runner` starts, it creates an HTTP server on port 8888 (configurable) that listens on all network interfaces (`0.0.0.0`). The `/_log` endpoint accepts POST requests and processes the JSON body as follows: ```javascript

// lib/server.js lines 504-510 var context = { input: query.arguments, format: util.format, output: '' }; var tryEvalOrString = 'function (arg) { try { return eval(\'o = \' + arg); } catch (e) { return arg; } }'; vm.runInNewContext('output = format.apply(null, input.map(' + tryEvalOrStri

🎯 Known Indicators of Compromise

{"type":"ipv4","value":"0.0.0.0","confidence_score":0.88,"first_seen":"2026-06-03","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-49143 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →