CVE-2026-49143: browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler

June 3, 2026

The HTTP handler /_log in lib/server.js (lines 491–515) of browserstack-runner passes unauthenticated user-supplied data to vm.runInNewContext() combined with eval(), enabling a sandbox escape and arbitrary code execution on the host system.

References

github.com/advisories/GHSA-6vr3-7wcx-v5g5
github.com/browserstack/browserstack-runner/security/advisories/GHSA-6vr3-7wcx-v5g5
nvd.nist.gov/vuln/detail/CVE-2026-49143
www.vulncheck.com/advisories/browserstack-runner-unauthenticated-rce-via-log-http-handler

Code Behaviors & Features

Detect and mitigate CVE-2026-49143 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →