CVE-2025-57283

High

Published: 28 January 2026

Published

28 January 2026

Modified

09 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57283 is a high-severity Code Injection (CWE-94) vulnerability in Browserstack Browserstack-Local. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of the logfile variable in browserstack-local's lib/Local.js to prevent command injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific command injection flaw (CVE-2025-57283) in the vulnerable Node.js package version 1.5.8.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Facilitates identification of the command injection vulnerability in browserstack-local through vulnerability scanning of software dependencies.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection via unsanitized logfile input directly enables arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

Deeper analysisAI

CVE-2025-57283 is a command injection vulnerability (CWE-94) affecting the Node.js package browserstack-local version 1.5.8. The flaw occurs because the logfile variable is not properly sanitized in the lib/Local.js file, enabling attackers to inject and execute arbitrary commands.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker with low privileges. Exploitation requires low complexity and no user interaction, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability, such as executing arbitrary code on the affected system.

Further details, including potential advisories or patches, are referenced at https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1 and https://www.npmjs.com.