Arbitrary Remote Code Execution in Vitest by Vite Framework
CVE-2025-24964

9.7CRITICAL

Key Information:

Vendor
Vitest-dev
Status
Vitest
Vendor
CVE Published:
4 February 2025

Summary

Vitest, a testing framework powered by Vite, is vulnerable to arbitrary remote code execution due to inadequate security checks in its WebSocket server. When the API option is enabled, Vitest starts a WebSocket server that lacks proper Origin header validation and authorization mechanisms, making it susceptible to Cross-site WebSocket hijacking (CSWSH) attacks. This vulnerability allows attackers to exploit the 'saveTestFile' and 'rerun' APIs, enabling them to inject malicious code into test files and executing it. Users of the Vitest serve API are strongly encouraged to update to the patched versions 1.6.1, 2.1.9, or 3.0.5 to mitigate this security risk.

Affected Version(s)

vitest <= 0.0.125 <= 0.0.125

vitest >= 1.0.0, < 1.6.1 < 1.0.0, 1.6.1

vitest >= 2.0.0, < 2.1.9 < 2.0.0, 2.1.9

References

https://github.com/vitest-dev/vitest/security/advisories/...
x_refsource_CONFIRM
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02...
x_refsource_MISC
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02...
x_refsource_MISC

CVSS V3.1

Score:
9.7
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-24964 : Arbitrary Remote Code Execution in Vitest by Vite Framework | SecurityVulnerability.io