BrowserStack Runner is vulnerable to remote code execution due to improper handling of JSON requests in its logging component.

The /_log HTTP handler in BrowserStack Runner fails to properly sanitize or authorize requests. An unauthenticated, network-adjacent attacker can submit a crafted JSON request body to execute arbitrary code on the host system.

The CVSS score of 8.8 highlights the critical nature of this RCE vulnerability. Successful exploitation grants attackers full control over the affected Runner instance, which could be used to disrupt testing pipelines or serve as a pivot point for further network infiltration.

Immediate Action: Update BrowserStack Runner to the latest version immediately to patch the vulnerable HTTP handler.

Proactive Monitoring: Monitor network traffic for anomalous JSON payloads directed toward the runner service and review system logs for unauthorized processes.

Compensating Controls: Implement strict network access controls to ensure that only authorized internal systems can communicate with the BrowserStack Runner service.

Public Exploit Available: false

Given the risk of remote code execution, all instances of BrowserStack Runner must be updated to the latest version as soon as possible. Organizations should also verify that their runner instances are not exposed to untrusted networks or the public internet.