Vite Testing Framework Vulnerability Allows Remote Code Execution
CVE-2026-53633
9.8CRITICAL
What is CVE-2026-53633?
The Vitest testing framework versions 3.0.0 through 3.2.5, 4.1.8, and 5.0.0-beta.4 have a vulnerability in Browser Mode that exposes the cdp() API, allowing attackers to forward raw Chrome DevTools Protocol (CDP) methods. This lack of safeguards enables a remote client to manipulate the application behavior, specifically using CDP commands like Page.setDownloadBehavior and Runtime.evaluate to overwrite vital configuration files, such as vite.config.ts, and execute malicious Node.js code. This issue has been rectified in the latest versions of Vitest.
Affected Version(s)
vitest >= 3.0.0, < 3.2.5 < 3.0.0, 3.2.5
vitest >= 4.0.0, < 4.1.8 < 4.0.0, 4.1.8
vitest >= 5.0.0-beta.0, < 5.0.0-beta.4 < 5.0.0-beta.0, 5.0.0-beta.4
