BrowserStack Local vulnerable to Command Injection through logfile variable
- Severity:
- Medium
Description
The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.5.8
References
Related Issues
- Matrix IRC Bridge allows IRC command injection to own puppeted user - CVE-2025-27146
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- Command injection in Parse Server through prototype pollution - CVE-2022-24760
- create-choo-app3 is vulnerable to Command Injection via the devInstall function - CVE-2022-25855
- Tags:
- npm
- browserstack-local
Anything's wrong? Let us know Last updated on January 29, 2026