Fluid Attacks Database

Description

browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server

Summary

The HTTP server in browserstack-runner serves files from the project directory via the _default handler. This handler uses path.join(process.cwd(), uri) to resolve file paths but does not validate that the resulting path stays within the project root. Combined with the server binding on 0.0.0.0 (all interfaces) and the absence of any authentication, this allows an unauthenticated network-adjacent attacker to read arbitrary files from the host filesystem.

Root Cause

lib/server.js, lines 530–534 : _default handler:

'_default': function defaultHandler(uri, body, request, response) {
    var filePath = path.join(process.cwd(), uri);
    handleFile(filePath, request, response);
}

uri comes from url.parse(request.url).pathname (line 540), which preserves ../ sequences. path.join resolves them, producing absolute paths outside the project directory. No boundary check is performed before serving the file.

bin/cli.js, line 131 : server binding:

server.listen(parseInt(config.test_server_port, 10));

No hostname is specified, so Node.js binds on 0.0.0.0 (all interfaces).

No authentication: The _default handler does not call getWorkerUuid() or perform any authentication check.

Steps to Reproduce

Step 1 : Start the server (Terminal 1)

cd browserstack-runner
echo '<html><body>test</body></html>' > _poc_test.html
echo '{"username":"X","key":"X","test_path":"_poc_test.html","test_framework":"qunit","browsers":[]}' > browserstack.json
node bin/runner.js

Step 2 : Read arbitrary files (Terminal 2)

Read /etc/hostname:

curl -s --path-as-is "http://127.0.0.1:8888/../../../etc/hostname"

Read /etc/passwd:

curl -s --path-as-is "http://127.0.0.1:8888/../../../etc/passwd"

Read the BrowserStack access key from config:

curl -s "http://127.0.0.1:8888/browserstack.json"

Note: --path-as-is is required because curl normalizes ../ sequences by default. Browsers and HTTP libraries that do not normalize URL paths (or that allow raw path construction) can exploit this without special flags.

Expected Result

/etc/hostname → server returns the machine hostname

/etc/passwd → server returns the full passwd file

browserstack.json → server returns the config including the BrowserStack access key

Impact

BrowserStack access key theft : browserstack.json is always in the project root (same directory the server serves from), and contains username and key in cleartext

Source code theft : all project files are readable

System file disclosure : /etc/passwd, /etc/shadow (if readable), SSH keys, .env files, .npmrc (npm tokens), etc.

Chainable with Finding #1 : same server, same exposure window, same network-adjacent attacker

Suggested Fix

Validate the resolved path stays within the project root:

var filePath = path.resolve(process.cwd(), '.' + uri);
if (!filePath.startsWith(process.cwd() + path.sep)) {
    sendError(response, 'Forbidden', 403);
    return;
}

Bind on 127.0.0.1

Add authentication to the _default handler

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
npm	browserstack-runner	>=0 <=0.9.5

Aliases

1. CVE-2026-491442. NVD-2026-491443. OSV-2026-491444. GHSA-8rpw-6cqh-2v9h5. GCVE-2026-49144

References

1. https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-8rpw-6cqh-2v9h2. https://www.vulncheck.com/advisories/browserstack-runner-path-traversal-via-default-http-handler

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.