Arbitrary Remote Code Execution in Vitest by Vite Framework
CVE-2025-24964

9.7CRITICAL

Key Information:

Vendor

Vitest-dev

Status
Vitest
Vendor
CVE Published:
4 February 2025

What is CVE-2025-24964?

Vitest, a testing framework powered by Vite, is vulnerable to arbitrary remote code execution due to inadequate security checks in its WebSocket server. When the API option is enabled, Vitest starts a WebSocket server that lacks proper Origin header validation and authorization mechanisms, making it susceptible to Cross-site WebSocket hijacking (CSWSH) attacks. This vulnerability allows attackers to exploit the 'saveTestFile' and 'rerun' APIs, enabling them to inject malicious code into test files and executing it. Users of the Vitest serve API are strongly encouraged to update to the patched versions 1.6.1, 2.1.9, or 3.0.5 to mitigate this security risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vitest <= 0.0.125 <= 0.0.125

vitest >= 1.0.0, < 1.6.1 < 1.0.0, 1.6.1

vitest >= 2.0.0, < 2.1.9 < 2.0.0, 2.1.9

References

https://github.com/vitest-dev/vitest/security/advisories/...
x_refsource_CONFIRM
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02...
x_refsource_MISC
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02...
x_refsource_MISC

CVSS V3.1

Score:
9.7
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.