Skip to content

Security Fix: Upgrade vitest to Address Critical RCE Vulnerability (CVE-2025-24964) #451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Security Fix: Upgrade vitest to Address Critical RCE Vulnerability (CVE-2025-24964) #451

wants to merge 1 commit into from

Conversation

diordiordiordior
Copy link

Hi team,

During a review using Semgrep, I identified a critical security vulnerability affecting this repository's development dependencies.

Issue: vitest@2.1.1 is affected by CVE-2025-24964, which allows Remote Code Execution (RCE) via Cross-site WebSocket Hijacking (CSWSH) when the Vitest API server is running and a developer visits a malicious website.

Severity: Critical — no origin validation allows arbitrary WebSocket connections to trigger test runner commands and potentially execute arbitrary code on a dev machine.

Likelihood: Medium to High. Many dev setups run vitest --watch or enable its UI/API server by default. Exploitation only requires a developer to visit a malicious website while the test server is active.

Recommended Fix: Upgrade to vitest >= 2.1.9 (or preferably 3.0.5) where this issue has been patched.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@diordiordiordior @aaronmilligan