Plattform
nodejs
Komponente
browserstack-local
Behoben in
1.5.9
CVE-2025-57283 describes a command injection vulnerability discovered in the browserstack-local Node.js package. This flaw arises from insufficient sanitization of the logfile variable within the lib/Local.js file, enabling attackers to potentially execute arbitrary commands on the system. The vulnerability affects versions prior to 1.5.9 and has been resolved in version 1.5.9.
Successful exploitation of CVE-2025-57283 could allow an attacker to gain remote code execution (RCE) on the system running the vulnerable browserstack-local package. This could lead to complete system compromise, data theft, and further malicious activity. The attacker would need to manipulate the logfile variable to inject and execute arbitrary commands. Given that browserstack-local is often used in automated testing environments, a compromised system could also impact the integrity of test results and potentially introduce vulnerabilities into deployed applications.
CVE-2025-57283 was published on 2026-01-28. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its inclusion in the Node Security Project (NSP) database indicates a potential risk. The EPSS score is pending evaluation, but the command injection nature suggests a potentially high probability of exploitation if left unpatched.
Organizations and developers utilizing browserstack-local in their Node.js projects, particularly those involved in automated testing and continuous integration/continuous delivery (CI/CD) pipelines, are at risk. Shared hosting environments where browserstack-local is installed could also be vulnerable.
• nodejs / supply-chain:
npm list browserstack-local
npm audit browserstack-local• nodejs / supply-chain:
find node_modules -name "Local.js" -print0 | xargs -0 grep "logfile"• generic web:
Inspect the package.json file for the browserstack-local dependency and its version. Check for any unusual or unexpected commands being executed within the lib/Local.js file.
disclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-57283 is to immediately upgrade the browserstack-local package to version 1.5.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting network access to the system running browserstack-local to limit potential attack vectors. Review and audit any custom scripts or configurations that utilize browserstack-local to ensure no malicious code is present. There are no specific WAF rules or detection signatures readily available for this vulnerability, making timely patching critical.
Actualice el paquete browserstack-local a una versión posterior a 1.5.8 que corrija la vulnerabilidad de inyección de comandos. Consulte las notas de la versión del paquete o el repositorio para obtener más detalles sobre la corrección. Como medida temporal, evite pasar datos no saneados a la variable logfile.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-57283 is a command injection vulnerability in the browserstack-local Node.js package, allowing attackers to execute arbitrary commands due to improper sanitization of the logfile variable.
You are affected if you are using browserstack-local versions prior to 1.5.9. Check your package.json file to determine your current version.
Upgrade to browserstack-local version 1.5.9 or later using npm install browserstack-local@latest. If upgrading is not immediately possible, restrict network access to the affected system.
Currently, there are no known public exploits or active campaigns targeting CVE-2025-57283, but the vulnerability's nature suggests a potential risk.
Refer to the official browserstack security advisory for detailed information and updates regarding CVE-2025-57283.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.