CVE-2025-57283: BrowserStack Local vulnerable to Command Injection through logfile variable

January 28, 2026 (updated January 29, 2026)

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

References

gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1
github.com/advisories/GHSA-g4w6-c99w-4wh7
github.com/browserstack/browserstack-local-nodejs
nvd.nist.gov/vuln/detail/CVE-2025-57283
www.npmjs.com/

Code Behaviors & Features

Detect and mitigate CVE-2025-57283 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →