Vite Testing Framework Vulnerability Allows Remote Code Execution
CVE-2026-53633

9.8CRITICAL

Key Information:

Vendor

Vitest-dev

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-53633?

The Vitest testing framework versions 3.0.0 through 3.2.5, 4.1.8, and 5.0.0-beta.4 have a vulnerability in Browser Mode that exposes the cdp() API, allowing attackers to forward raw Chrome DevTools Protocol (CDP) methods. This lack of safeguards enables a remote client to manipulate the application behavior, specifically using CDP commands like Page.setDownloadBehavior and Runtime.evaluate to overwrite vital configuration files, such as vite.config.ts, and execute malicious Node.js code. This issue has been rectified in the latest versions of Vitest.

Affected Version(s)

vitest >= 3.0.0, < 3.2.5 < 3.0.0, 3.2.5

vitest >= 4.0.0, < 4.1.8 < 4.0.0, 4.1.8

vitest >= 5.0.0-beta.0, < 5.0.0-beta.4 < 5.0.0-beta.0, 5.0.0-beta.4

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.