Platform
nodejs
Component
browserstack-local
Fixed in
1.5.9
CVE-2025-57283 describes a command injection vulnerability discovered in the browserstack-local Node.js package. This flaw arises from insufficient sanitization of the logfile variable within the lib/Local.js file, enabling attackers to potentially execute arbitrary commands on the system. The vulnerability affects versions prior to 1.5.9 and has been resolved in version 1.5.9.
Successful exploitation of CVE-2025-57283 could allow an attacker to gain remote code execution (RCE) on the system running the vulnerable browserstack-local package. This could lead to complete system compromise, data theft, and further malicious activity. The attacker would need to manipulate the logfile variable to inject and execute arbitrary commands. Given that browserstack-local is often used in automated testing environments, a compromised system could also impact the integrity of test results and potentially introduce vulnerabilities into deployed applications.
CVE-2025-57283 was published on 2026-01-28. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its inclusion in the Node Security Project (NSP) database indicates a potential risk. The EPSS score is pending evaluation, but the command injection nature suggests a potentially high probability of exploitation if left unpatched.
Exploit Status
EPSS
0.09% (25% percentile)
CVSS Vector
The primary mitigation for CVE-2025-57283 is to immediately upgrade the browserstack-local package to version 1.5.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting network access to the system running browserstack-local to limit potential attack vectors. Review and audit any custom scripts or configurations that utilize browserstack-local to ensure no malicious code is present. There are no specific WAF rules or detection signatures readily available for this vulnerability, making timely patching critical.
Actualice el paquete browserstack-local a una versión posterior a 1.5.8 que corrija la vulnerabilidad de inyección de comandos. Consulte las notas de la versión del paquete o el repositorio para obtener más detalles sobre la corrección. Como medida temporal, evite pasar datos no saneados a la variable logfile.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-57283 is a command injection vulnerability in the browserstack-local Node.js package, allowing attackers to execute arbitrary commands due to improper sanitization of the logfile variable.
You are affected if you are using browserstack-local versions prior to 1.5.9. Check your package.json file to determine your current version.
Upgrade to browserstack-local version 1.5.9 or later using npm install browserstack-local@latest. If upgrading is not immediately possible, restrict network access to the affected system.
Currently, there are no known public exploits or active campaigns targeting CVE-2025-57283, but the vulnerability's nature suggests a potential risk.
Refer to the official browserstack security advisory for detailed information and updates regarding CVE-2025-57283.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.