BrowserStack Local vulnerable to Command Injection through logfile variable

Severity:: Medium

Description

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.5.8

References

GHSA-g4w6-c99w-4wh7
www.npmjs.com
CVE-2025-57283
CWE-77
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
Webrecorder packages are vulnerable to XSS through 404 error handling logic - CVE-2025-58765
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit - Vulnerability
@strapi/plugin-content-manager leaks data via relations via the Admin Panel - CVE-2024-29181

Tags:: npm; browserstack-local

Anything's wrong? Let us know Last updated on January 29, 2026