VYPR
Critical severityNVD Advisory· Published Feb 4, 2025· Updated Feb 12, 2025

Remote Code Execution when accessing a malicious website while Vitest API server is listening

CVE-2025-24964

Description

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vitestnpm
>= 1.0.0, < 1.6.11.6.1
vitestnpm
>= 2.0.0, < 2.1.92.1.9
vitestnpm
>= 3.0.0, < 3.0.53.0.5
vitestnpm
<= 0.0.125

Affected products

2
  • ghsa-coords
    Range: >= 1.0.0, < 1.6.1
  • vitest-dev/vitestv5
    Range: <= 0.0.125

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.