CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-24964 – Remote Code Execution when accessing a malicious website while Vitest API server is listening
https://notcve.org/view.php?id=CVE-2025-24964
04 Feb 2025 — Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit... • https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46 • CWE-1385: Missing Origin Validation in WebSockets •