CVE-2025-24964

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-24964
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24964.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-24964
Aliases
Published
2025-02-04T19:36:50Z
Modified
2025-11-04T20:35:58.080359Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Remote Code Execution when accessing a malicious website while Vitest API server is listening
Details

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "cwe_ids": [
        "CWE-1385"
    ]
}
References

Affected packages

Git / github.com/vitest-dev/vitest

Affected ranges

Type
GIT
Repo
https://github.com/vitest-dev/vitest
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
dc4b342fc20bdb160fa6038b7a15259b986a3618
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.0.125"
        }
    ]
}
Type
GIT
Repo
https://github.com/vitest-dev/vitest
Events
Introduced
34517cebf428f4d0452c63d9f2ec5ab13fe50c78
Fixed
017e1ee6c66179568b758b4d1e1796f551dc1366
Database specific 
{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.6.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/vitest-dev/vitest
Events
Introduced
1b150a38918d157242c9259d6b1138e79fc8ed44
Fixed
c9e59a089d94642eea29a43f2ee1986a5afb99c6
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.9"
        }
    ]
}
Type
GIT
Repo
https://github.com/vitest-dev/vitest
Events
Introduced
01600e04c2252abee78fc8a695197ce62f2846d4
Fixed
115466265d23622d75f0d798641354a18e285072
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.5"
        }
    ]
}

Affected versions

v0.*

v0.0.1
v0.0.10
v0.0.100
v0.0.101
v0.0.102
v0.0.103
v0.0.104
v0.0.105
v0.0.106
v0.0.107
v0.0.108
v0.0.109
v0.0.11
v0.0.110
v0.0.111
v0.0.112
v0.0.113
v0.0.114
v0.0.115
v0.0.116
v0.0.117
v0.0.118
v0.0.119
v0.0.12
v0.0.120
v0.0.121
v0.0.122
v0.0.123
v0.0.124
v0.0.125
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.3
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.36
v0.0.37
v0.0.38
v0.0.39
v0.0.4
v0.0.40
v0.0.41
v0.0.42
v0.0.43
v0.0.44
v0.0.45
v0.0.46
v0.0.47
v0.0.48
v0.0.49
v0.0.5
v0.0.50
v0.0.51
v0.0.52
v0.0.53
v0.0.54
v0.0.55
v0.0.56
v0.0.57
v0.0.58
v0.0.59
v0.0.6
v0.0.60
v0.0.61
v0.0.62
v0.0.63
v0.0.64
v0.0.65
v0.0.66
v0.0.67
v0.0.68
v0.0.69
v0.0.7
v0.0.70
v0.0.71
v0.0.72
v0.0.73
v0.0.74
v0.0.75
v0.0.76
v0.0.77
v0.0.78
v0.0.79
v0.0.8
v0.0.80
v0.0.81
v0.0.82
v0.0.83
v0.0.84
v0.0.85
v0.0.86
v0.0.87
v0.0.88
v0.0.89
v0.0.9
v0.0.90
v0.0.91
v0.0.92
v0.0.93
v0.0.94
v0.0.95
v0.0.96
v0.0.97
v0.0.98
v0.0.99

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v1.3.1
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0

v2.*

v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.1.0-beta.1
v2.1.0-beta.2
v2.1.0-beta.3
v2.1.0-beta.4
v2.1.0-beta.5
v2.1.0-beta.6
v2.1.0-beta.7
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4