npm package
@vitest/browser
pkg:npm/%40vitest/browser
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-53633 | cri | — | >= 5.0.0-beta.0, < 5.0.0-beta.4 | 5.0.0-beta.4 | Jun 15, 2026 | ## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSocket RPC. CDP is not gated by `browser.api.allowWrite`, `browser.api.allowExec`, `api.allowWrite`, or `api.allowExec`. As a result, disabli | |
| CVE-2025-24963 | — | >= 2.0.4, < 2.1.9 | 2.1.9 | Feb 4, 2025 | Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handle |
- affected >= 5.0.0-beta.0, < 5.0.0-beta.4fixed 5.0.0-beta.4
## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSocket RPC. CDP is not gated by `browser.api.allowWrite`, `browser.api.allowExec`, `api.allowWrite`, or `api.allowExec`. As a result, disabli
- CVE-2025-24963Feb 4, 2025affected >= 2.0.4, < 2.1.9fixed 2.1.9
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handle