{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-57283", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-01-29T15:11:40.801Z", "dateReserved": "2025-08-17T00:00:00.000Z", "datePublished": "2026-01-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-28T15:45:34.249Z"}, "descriptions": [{"lang": "en", "value": "The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com"}, {"url": "https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T15:10:54.857862Z", "id": "CVE-2025-57283", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T15:11:40.801Z"}}]}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:browserstack:browserstack-local:1.5.8:*:*:*:*:node.js:*:*", "matchCriteriaId": "F0E0303B-1A77-4544-BE78-D4ACADAF7475", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js."}], "id": "CVE-2025-57283", "lastModified": "2026-02-09T19:17:13.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-28T16:16:12.737", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.npmjs.com"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "browserstack-local: OS command injection in the logfile variable in lib/Local.js", "id": "2433928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433928"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.", "A flaw was found in browserstack-local. Improper input sanitization of the logfile variable allows an attacker to inject arbitrary OS commands that are executed when this variable is processed, resulting in arbitrary command execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, implement strict input validation of the logfile variable using an allow-list approach. Ensure the input allows only alphanumeric characters, dots, dashes, underscores, and forward slashes. Any input containing other characters should be rejected immediately."}, "name": "CVE-2025-57283", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "io.syndesis-syndesis-parent", "product_name": "Red Hat Fuse 7"}], "public_date": "2026-01-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-57283\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-57283\nhttps://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1\nhttps://www.npmjs.com"], "statement": "To exploit this flaw, an attacker needs to have the ability to set the logfile variable, which typically implies prior access to the configuration files or the environment where the configuration is defined and permission to modify it. Due to this reason, this issue has been rated with an important severity.", "threat_severity": "Important"}