{
  "threat_severity" : "Important",
  "public_date" : "2026-05-18T20:31:14Z",
  "bugzilla" : {
    "description" : "WebdriverIO: WebdriverIO: Remote Code Execution via command injection in Git branch name processing",
    "id" : "2479692",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2479692"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-78",
  "details" : [ "WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.", "A flaw was found in WebdriverIO. A remote attacker can exploit a command injection vulnerability by crafting a malicious Git repository with a specially named branch. This branch name, containing shell metacharacters, is unsafely processed during test orchestration. This allows for remote code execution on affected systems, potentially leading to the disclosure of sensitive information, system compromise, and supply chain attacks." ],
  "statement" : "This vulnerability is rated as Important by Red Hat. Successful exploitation requires the attacker to gain access to or influence the Git repository being processed to supply a malicious branch name; this generally requires at least minimal permissions to be able to modify scm-controlled content. Additionally, user interaction is required since the vulnerability requires the target to check out a repository or process a pull request.",
  "package_state" : [ {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "dotnet8.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-25244\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25244\nhttps://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204\nhttps://github.com/webdriverio/webdriverio/releases/tag/v9.24.0\nhttps://github.com/webdriverio/webdriverio/security/advisories/GHSA-5c46-x3qw-q7j7" ],
  "name" : "CVE-2026-25244",
  "csaw" : false
}