CVE-2025-24964Missing Origin Validation in WebSockets in Vitest

CWE-1385Missing Origin Validation in WebSockets3 documents3 sources
Severity
8.8HIGHNVD
EPSS
4.4%
top 11.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vitest.dev VitestVitest-dev Vitest
Timeline
PublishedFeb 4

Description

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDvitest.dev/vitest1.0.01.6.1+3
npmvitest-dev/vitest1.0.01.6.1+3
CVEListV5vitest-dev/vitest0.0.125+3

🔴Vulnerability Details

2
GHSA
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening2025-02-04
OSV
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening2025-02-04