CVE-2026-25244

Name of the Vulnerable Software and Affected Versions WebdriverIO versions prior to 9.24.0

Description A command injection issue exists in the test orchestration of WebdriverIO, specifically within the @wdio/browserstack-service module. The function getGitMetadataForAISelection() interpolates git branch names directly into execSync() calls without proper sanitization. Since git allows branch names to contain shell metacharacters, an attacker can provide a malicious repository—either via the testOrchestrationOptions.runSmartSelection.source variable or by using the current directory if that variable is unset—with a branch name containing a payload. This allows for remote code execution on developer machines and CI/CD servers, potentially leading to the exfiltration of SSH keys, source code, and credentials, as well as system compromise and supply chain attacks through tampered build artifacts.

Recommendations Update to version 9.24.0. As a temporary workaround, restrict access to the @wdio/browserstack-service module or avoid using the testOrchestrationOptions.runSmartSelection.source variable with untrusted repositories until the update is applied.