BrowserStack Local vulnerable to Command Injection through logfile variable

Severity:: Medium

Description

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

Recommendation

Update the browserstack-local package to the latest compatible version. Followings are version details:

Affected version(s): <= 1.5.8
Patched version(s): 1.5.9

References

GHSA-g4w6-c99w-4wh7
www.npmjs.com
CVE-2025-57283
CWE-77
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

systeminformation has a Command Injection vulnerability in fsSize() function on Windows - CVE-2025-68154
Command injection in Parse Server through prototype pollution - CVE-2022-24760
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update - CVE-2025-60542
Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754

Tags:: npm; browserstack-local

Anything's wrong? Let us know Last updated on February 27, 2026