CVE-2026-25244 — CRITICAL (9.8)

Q: How severe is CVE-2026-25244?

CVE-2026-25244 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-25244?

Check the references section above for vendor advisories and patch information. Affected products include: Openjsf Webdriverio.

Vulnerability Description

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Openjsf	Webdriverio	< 9.24.0

Related Weaknesses (CWE)

CWE-78

References

https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c4697Product
https://github.com/webdriverio/webdriverio/releases/tag/v9.24.0ProductRelease Notes
https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7ExploitVendor Advisory
https://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7ExploitVendor Advisory

FAQ

What is CVE-2026-25244?

CVE-2026-25244 is a vulnerability with a CVSS score of 9.8 (CRITICAL). WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to re...

How severe is CVE-2026-25244?

CVE-2026-25244 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-25244?

Check the references section above for vendor advisories and patch information. Affected products include: Openjsf Webdriverio.