WebdriverIO Command Injection Vulnerability in BrowserStack Service Allowing Remote Code Execution

A command injection vulnerability has been identified in WebdriverIO versions prior to 9.24.0, specifically within the BrowserStack service. This vulnerability allows for remote code execution (RCE) during test orchestration. The issue arises because Git branch names can include shell metacharacters, which are directly interpolated into execution commands without proper sanitization. An attacker can exploit this by providing a malicious repository with a branch name that carries a payload, causing the shell to execute arbitrary code. This exploitation can lead to severe consequences, including unauthorized access to environment variables, secrets, and credentials, as well as source code and SSH key exfiltration, system compromise, and supply chain attacks through tampered build artifacts.

Impact

Exploitation of this vulnerability allows for remote code execution on CI/CD servers and developer machines. This could result in the unauthorized disclosure of credentials and secrets, exfiltration of source code and SSH keys, compromise of the system, and supply chain attacks via modified build artifacts.

Reproduction

To reproduce this vulnerability, create a malicious Git repository and include a branch name with command injection payloads. Then, configure WebdriverIO to use this repository through the 'testOrchestrationOptions.runSmartSelection.source' option. When the 'getGitMetadataForAISelection()' function is called, the branch name will be executed as a shell command, leading to remote code execution.

Remediation

Users can update to WebdriverIO version 9.24.0 or later, where this vulnerability has been fixed.