{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-57283", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-06-30T03:21:11.522Z", "dateReserved": "2025-08-17T00:00:00.000Z", "datePublished": "2026-01-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-28T15:45:34.249Z"}, "descriptions": [{"lang": "en", "value": "The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com"}, {"url": "https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T15:10:54.857862Z", "id": "CVE-2025-57283", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T15:11:40.801Z"}}, {"affected": [{"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "defaultStatus": "affected", "product": "Red Hat Fuse 7", "vendor": "Red Hat"}], "datePublic": "2026-01-28T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A flaw was found in browserstack-local. Improper input sanitization of the logfile variable allows an attacker to inject arbitrary OS commands that are executed when this variable is processed, resulting in arbitrary command execution."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2025-57283"}, {"name": "RHBZ#2433928", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433928"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-57283.json"}], "timeline": [{"lang": "en", "time": "2026-01-28T16:01:31.833Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-28T00:00:00.000Z", "value": "Made public."}], "title": "browserstack-local: OS command injection in the logfile variable in lib/Local.js", "workarounds": [{"lang": "en", "value": "To mitigate this issue, implement strict input validation of the logfile variable using an allow-list approach. Ensure the input allows only alphanumeric characters, dots, dashes, underscores, and forward slashes. Any input containing other characters should be rejected immediately."}], "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T03:21:11.522Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "browserstack-local: OS command injection in the logfile variable in lib/Local.js", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat Fuse 7", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-01-28T16:01:31.833Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-28T00:00:00.000Z", "value": "Made public."}], "x_adpType": "supplier", "datePublic": "2026-01-28T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-57283", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433928", "name": "RHBZ#2433928", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-57283.json", "tags": ["x_sadp-csaf-vex"]}], "workarounds": [{"lang": "en", "value": "To mitigate this issue, implement strict input validation of the logfile variable using an allow-list approach. Ensure the input allows only alphanumeric characters, dots, dashes, underscores, and forward slashes. Any input containing other characters should be rejected immediately."}], "x_generator": {"engine": "sadp-cli 1.0.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in browserstack-local. Improper input sanitization of the logfile variable allows an attacker to inject arbitrary OS commands that are executed when this variable is processed, resulting in arbitrary command execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T02:46:41.709Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-57283", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-29T15:10:54.857862Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T15:11:26.356Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.npmjs.com"}, {"url": "https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1"}], "descriptions": [{"lang": "en", "value": "The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-28T15:45:34.249Z"}}}, "cveMetadata": {"cveId": "CVE-2025-57283", "state": "PUBLISHED", "dateUpdated": "2026-06-30T02:46:41.709Z", "dateReserved": "2025-08-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-28T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "source": "cve@mitre.org"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:browserstack:browserstack-local:1.5.8:*:*:*:*:node.js:*:*", "matchCriteriaId": "F0E0303B-1A77-4544-BE78-D4ACADAF7475", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js."}, {"lang": "es", "value": "El paquete de Node.js browserstack-local 1.5.8 contiene una vulnerabilidad de inyecci\u00f3n de comandos. Esto ocurre porque la variable logfile no se sanea correctamente en lib/Local.js."}], "id": "CVE-2025-57283", "lastModified": "2026-06-17T09:42:59.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-57283", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2026-01-29T15:10:54.857862Z", "version": "2.0.3"}}]}, "published": "2026-01-28T16:16:12.737", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.npmjs.com"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "browserstack-local: OS command injection in the logfile variable in lib/Local.js", "id": "2433928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433928"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.", "A flaw was found in browserstack-local. Improper input sanitization of the logfile variable allows an attacker to inject arbitrary OS commands that are executed when this variable is processed, resulting in arbitrary command execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, implement strict input validation of the logfile variable using an allow-list approach. Ensure the input allows only alphanumeric characters, dots, dashes, underscores, and forward slashes. Any input containing other characters should be rejected immediately."}, "name": "CVE-2025-57283", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "io.syndesis-syndesis-parent", "product_name": "Red Hat Fuse 7"}], "public_date": "2026-01-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-57283\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-57283\nhttps://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1\nhttps://www.npmjs.com"], "statement": "To exploit this flaw, an attacker needs to have the ability to set the logfile variable, which typically implies prior access to the configuration files or the environment where the configuration is defined and permission to modify it. Due to this reason, this issue has been rated with an important severity.", "threat_severity": "Important"}

{"created": "2026-01-29T09:17:49.398002+00:00", "updated": "2026-01-29T09:17:49.398063+00:00", "vendors": ["browserstack", "browserstack$PRODUCT$browserstack-local"]}