Cyber Resilience

CVE-2025-57283

High

Published: 28 January 2026

Published
28 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 23.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57283 is a high-severity Code Injection (CWE-94) vulnerability in Browserstack Browserstack-Local. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-57283 is a command injection vulnerability (CWE-94) affecting the Node.js package browserstack-local version 1.5.8. The flaw occurs because the logfile variable is not properly sanitized in the lib/Local.js file, enabling attackers to inject and execute arbitrary commands.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker with low privileges. Exploitation requires low complexity and no user interaction, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability, such as executing arbitrary code on the affected system.

Further details, including potential advisories or patches, are referenced at https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1 and https://www.npmjs.com.

EU & UK References

Vulnerability details

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection via unsanitized logfile input directly enables arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45374Shared CWE-94
CVE-2026-44244Shared CWE-94
CVE-2026-29955Shared CWE-94
CVE-2024-55964Shared CWE-94
CVE-2026-20045Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2026-45311Shared CWE-94
CVE-2024-23921Shared CWE-94
CVE-2026-39881Shared CWE-94
CVE-2025-59041Shared CWE-94

Affected Assets

browserstack
browserstack-local
1.5.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the logfile variable in browserstack-local's lib/Local.js to prevent command injection exploitation.

prevent

Mandates timely remediation of the specific command injection flaw (CVE-2025-57283) in the vulnerable Node.js package version 1.5.8.

detect

Facilitates identification of the command injection vulnerability in browserstack-local through vulnerability scanning of software dependencies.

References