CVE-2026-53633 in Vitest
Summary
by MITRE • 07/15/2026
Vitest is a testing framework powered by Vite. From 3.0.0 until 3.2.5, 4.1.8, and 5.0.0-beta.4, Vitest Browser Mode exposed a cdp() API that forwarded raw Chrome DevTools Protocol methods without being gated by allowWrite or allowExec, allowing a remote client with exposed browser API metadata to use CDP Page.setDownloadBehavior and Runtime.evaluate to overwrite vite.config.ts and execute attacker-controlled Node.js code. This issue is fixed in versions 3.2.5, 4.1.8, and 5.0.0-beta.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in Vitest affects versions from 3.0.0 through 3.2.5, 4.1.8, and 5.0.0-beta where the browser mode implementation exposes a cdp() API that provides direct access to Chrome DevTools Protocol methods without proper access controls. This flaw resides in the security model of the testing framework's browser execution environment, creating an attack surface where remote clients can leverage exposed browser API metadata to execute privileged operations. The vulnerability specifically impacts the CDP Page.setDownloadBehavior and Runtime.evaluate methods which together enable both file system manipulation and code execution capabilities.
The technical implementation of this vulnerability stems from insufficient input validation and access control mechanisms within the Vitest framework's browser mode functionality. When the cdp() API is exposed to remote clients, it bypasses the normal allowWrite and allowExec security gates that should restrict file system modifications and code execution respectively. This creates a privilege escalation scenario where an attacker can use Page.setDownloadBehavior to modify the vite.config.ts configuration file and Runtime.evaluate to execute arbitrary Node.js code within the testing environment. The flaw represents a direct violation of the principle of least privilege and demonstrates inadequate sandboxing of browser-based API access.
The operational impact of this vulnerability is severe as it allows remote code execution on systems running vulnerable versions of Vitest, potentially leading to complete system compromise. Attackers can leverage this vulnerability to modify critical configuration files that control how tests are executed, inject malicious code into the testing pipeline, and ultimately gain control over development environments. The vulnerability affects both development and CI/CD environments where Vitest is used for automated testing, making it particularly dangerous in continuous integration workflows where untrusted code might be executed. The exposure occurs through browser API metadata that should not grant such elevated privileges.
Security mitigations include upgrading to the patched versions 3.2.5, 4.1.8, and 5.0.0-beta where the cdp() API access controls have been properly implemented. Organizations should also implement network segmentation to limit exposure of development environments containing vulnerable Vitest installations, disable browser mode when not actively needed, and monitor for unauthorized modifications to configuration files. The vulnerability aligns with CWE-284 (Improper Access Control) and maps to ATT&CK technique T1059.006 (Command and Scripting Interpreter: Python) through the execution of Node.js code, while also representing a privilege escalation vector that could enable further attacks within the development infrastructure.