A critical command injection vulnerability in WebdriverIO allows attackers to execute arbitrary code on CI/CD servers and developer machines, risking supply chain compromise.

The getGitMetadataForAISelection() function interpolates Git branch names containing shell metacharacters directly into execSync() calls, allowing an attacker to inject and execute arbitrary system commands.

With a CVSS score of 9.8, this vulnerability facilitates remote code execution on build servers. This impact is severe, potentially resulting in the exfiltration of environment secrets, SSH keys, source code, and the insertion of malicious backdoors into build artifacts.

Immediate Action: Upgrade WebdriverIO to version 9.24.0 or later immediately.

Proactive Monitoring: Audit CI/CD logs for unexpected command executions or unauthorized process spawning during test execution.

Compensating Controls: Implement strict input validation for repository branch names and restrict the permissions of the service accounts running CI/CD pipelines.

Public Exploit Available: No