PatchSiren cyber security CVE debrief

CVE-2026-25244 Openjsf CVE debrief

CVE-2026-25244 is a critical command injection issue in WebdriverIO versions below 9.24.0. The vulnerable path can pass Git branch names containing shell metacharacters into execSync() without sanitization through getGitMetadataForAISelection(), which can allow arbitrary command execution during test orchestration. The impact is especially serious for CI/CD runners and developer workstations that process untrusted repositories or repository state.

Vendor: Openjsf
Product: Webdriverio
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-18
Original CVE updated: 2026-05-19
Advisory published: 2026-05-18
Advisory updated: 2026-05-19

Who should care

Teams using WebdriverIO for browser, E2E, component, or Appium-based testing should prioritize this if they run test orchestration against untrusted repositories, forks, branches, or working directories. CI/CD platform owners, build engineers, and developers who use the affected BrowserStack test orchestration path are the primary audience.

Technical summary

NVD classifies the issue as CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) with CWE-78. The vendor advisory and referenced source indicate that getGitMetadataForAISelection() interpolates Git branch names directly into execSync() calls. Because Git branch names can contain shell metacharacters, a malicious branch name in a repository supplied via testOrchestrationOptions.runSmartSelection.source, or from the current directory when unset, can trigger shell execution. The fixed release is 9.24.0.

Defensive priority

Immediate. Treat as a high-priority upgrade because the issue is network-reachable in common CI workflows, requires no privileges or user interaction, and can lead to full compromise of the execution environment.

Recommended defensive actions

Upgrade WebdriverIO to version 9.24.0 or later in all affected environments.
Audit CI/CD jobs and developer workflows that invoke the affected test orchestration path, especially where repositories or branches may be untrusted.
Review any automation that passes testOrchestrationOptions.runSmartSelection.source and ensure inputs cannot originate from untrusted repositories without controls.
Re-run builds or tests from a known-good environment after upgrading if there is any chance the vulnerable path was exercised.
Check for unexpected shell activity, altered build artifacts, or leaked credentials/secrets in environments that processed potentially malicious branch names.
Use least-privilege credentials for test runners and isolate CI jobs to reduce blast radius if similar issues recur.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and linked official references. The CVE record was published at 2026-05-18T21:16:39.547Z and modified at 2026-05-19T21:08:29.203Z. The NVD entry lists WebdriverIO (OpenJSF CPE), vulnerability status Analyzed, CWE-78, and an affected version range ending before 9.24.0. The referenced source line and vendor advisory support the unsanitized execSync() interpolation claim, and the 9.24.0 release is identified as the fix.

Official resources

CVE-2026-25244 CVE record
CVE.org
CVE-2026-25244 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Product
Mitigation or vendor reference
[email protected] - Product, Release Notes
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory

Publicly disclosed in the CVE record on 2026-05-18, with supporting vendor advisory and the 9.24.0 fix released the same day; the NVD record was updated on 2026-05-19.