CVE-2025-24964 in vitestinfo

Summary

by MITRE • 02/04/2025

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/31/2025

This vulnerability affects Vitest, a popular testing framework built on Vite, and represents a critical cross-site WebSocket hijacking (CSWSH) flaw that enables remote code execution. The vulnerability stems from the WebSocket server component that Vitest exposes when the API option is enabled, which occurs automatically when the Vitest UI is active. The WebSocket server lacks proper origin validation and authentication mechanisms, creating an attack surface that allows malicious actors to hijack WebSocket connections from authenticated users. The flaw specifically impacts versions prior to 1.6.1, 2.1.9, and 3.0.5, where the WebSocket endpoint does not verify the Origin header or implement any authorization checks, making it susceptible to CSRF-like attacks targeting WebSocket connections.

The technical exploitation of this vulnerability involves a two-stage attack process that leverages the exposed WebSocket APIs. Attackers can utilize the `saveTestFile` API endpoint to inject malicious code into test files, effectively creating a backdoor within the testing environment. Subsequently, the attacker can trigger the `rerun` API to execute the injected code within the context of the Vitest process. This privilege escalation allows attackers to perform arbitrary code execution on systems where Vitest is running with elevated privileges, potentially compromising the entire development environment. The vulnerability is particularly dangerous because it operates at the application layer, where the WebSocket server runs with the same permissions as the Vitest process, enabling full access to the underlying file system and execution capabilities.

The operational impact of this vulnerability extends beyond simple code injection, as it can lead to complete system compromise when developers interact with malicious websites while their Vitest servers are active. This scenario commonly occurs in development environments where developers frequently navigate between multiple websites and may inadvertently trigger the attack vector while the Vitest UI server is running. The attack requires no prior authentication or special privileges, making it particularly dangerous in environments where developers have elevated access to development machines. According to CWE-346, this vulnerability represents a failure to verify the origin of WebSocket connections, while the ATT&CK framework categorizes this as a technique involving unauthorized access to web applications through session hijacking or connection manipulation. The vulnerability's severity is amplified by the fact that it affects the development workflow itself, potentially compromising source code integrity and leading to further supply chain attacks.

Organizations and developers should immediately upgrade to patched versions 1.6.1, 2.1.9, or 3.0.5 to remediate this vulnerability. The patch addresses the root cause by implementing proper origin validation and authorization checks for the WebSocket server endpoints. Security best practices recommend disabling the API server in production environments and ensuring that developers only run Vitest servers in trusted environments. Additional mitigations include implementing network-level firewalls to restrict access to the Vitest WebSocket ports, configuring proper CORS policies, and using secure development practices that limit the exposure of development tools to untrusted networks. Given the lack of known workarounds, immediate patching is essential to protect development environments from potential exploitation, as the vulnerability can be leveraged by attackers with minimal technical expertise to gain persistent access to development systems.

Responsible

GitHub M

Reservation

01/29/2025

Disclosure

02/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00670

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!