PatchSiren cyber security CVE debrief
CVE-2025-57283 Browserstack CVE debrief
CVE-2025-57283 is a high-severity command injection vulnerability in the Node.js package browserstack-local 1.5.8. The vulnerability occurs because the logfile variable is not properly sanitized in lib/Local.js. This allows an attacker to inject arbitrary commands, potentially leading to a compromise of the affected system. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.8, indicating a high level of severity. The vulnerability was published on January 28, 2026, and last modified on June 30, 2026. Browserstack has been identified as the vendor, and the affected product is Browserstack-Local. Users of this package should take immediate action to mitigate the risk.
- Vendor
- Browserstack
- Product
- browserstack-local
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the browserstack-local package in their Node.js applications should be aware of this vulnerability and take steps to mitigate it. Given the high CVSS score, priority should be given to patching or mitigating this vulnerability to prevent potential attacks. Additionally, users of Red Hat systems may find relevant information in the references provided.
Technical summary
The CVE-2025-57283 vulnerability is caused by a lack of proper sanitization of the logfile variable in the lib/Local.js file of the browserstack-local package. This allows an attacker to inject arbitrary commands, potentially leading to a compromise of the affected system. The vulnerability has a CVSS score of 7.8 and a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The CWE-94 and CWE-78 weaknesses are associated with this vulnerability. The affected product is Browserstack-Local, version 1.5.8, and the vulnerability affects Node.js applications using this package.
Defensive priority
High priority should be given to patching or mitigating this vulnerability due to its high CVSS score and potential impact. Administrators should review their systems for usage of the affected package and apply patches or mitigations as soon as possible.
Recommended defensive actions
- Apply the patch for browserstack-local version 1.5.8 or later.
- Review and sanitize user input to prevent command injection.
- Monitor systems for suspicious activity related to the browserstack-local package.
- Consider implementing compensating controls, such as restricting access to the affected systems.
- Review and update inventory to ensure all instances of the package are accounted for.
Evidence notes
The CVE-2025-57283 vulnerability was published on January 28, 2026, and last modified on June 30, 2026. The vulnerability is caused by a lack of proper sanitization of the logfile variable in the lib/Local.js file of the browserstack-local package. The CVSS score for this vulnerability is 7.8, indicating a high level of severity. The CWE-94 and CWE-78 weaknesses are associated with this vulnerability. References include the CVE record, NVD detail, and various vendor and source references.
Official resources
-
CVE-2025-57283 CVE record
CVE.org
-
CVE-2025-57283 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
[email protected] - Product
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.