BrowserStack Local vulnerable to Command Injection through logfile variable

Severity:: Medium

Description

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

Recommendation

Update the browserstack-local package to the latest compatible version. Followings are version details:

Affected version(s): <= 1.5.8
Patched version(s): 1.5.9

References

GHSA-g4w6-c99w-4wh7
www.npmjs.com
CVE-2025-57283
CWE-77
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
create-choo-app3 is vulnerable to Command Injection via the devInstall function - CVE-2022-25855
mongosh vulnerable to local privilege escalation - CVE-2025-1756
Command injection in Parse Server through prototype pollution - CVE-2022-24760

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; browserstack-local

Anything's wrong? Let us know Last updated on February 27, 2026