chore(deps): update dependency vitest to v2.1.9 [security]#2
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency vitest to v2.1.9 [security]#2renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
3add793 to
d92bd5c
Compare
d92bd5c to
6b86180
Compare
3df5956 to
356f6d8
Compare
356f6d8 to
e47d3ee
Compare
e47d3ee to
bde9268
Compare
bde9268 to
0ebffa0
Compare
6d72268 to
96ea1d3
Compare
96ea1d3 to
ab9fa01
Compare
ab9fa01 to
ff2e182
Compare
ff2e182 to
8e467f6
Compare
8e467f6 to
b5ae864
Compare
b5ae864 to
3208bc4
Compare
3208bc4 to
0cb821f
Compare
0cb821f to
f6ec894
Compare
f6ec894 to
a81de13
Compare
e176099 to
23df3e5
Compare
23df3e5 to
9ecee91
Compare
9ecee91 to
88dea58
Compare
88dea58 to
8ad5112
Compare
8ad5112 to
e83911f
Compare
e83911f to
e1e9ca8
Compare
e1e9ca8 to
56060fc
Compare
56060fc to
b5bc669
Compare
b5bc669 to
8686859
Compare
8686859 to
a9c3847
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.1.1→2.1.9Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
CVE-2025-24964 / GHSA-9crc-q9x8-hgqq
More information
Details
Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When
apioption is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has
saveTestFileAPI that can edit a test file andrerunAPI that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by thesaveTestFileAPI and then running that file by calling thererunAPI.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
calcexecutable inPATHenv var (you'll likely have it if you are running on Windows), that application will be executed.Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitest-dev/vitest (vitest)
v2.1.9Compare Source
This release includes security patches for:
🐞 Bug Fixes
/__screenshot-error- by @hi-ogawa in #7343View changes on GitHub
v2.1.8Compare Source
🐞 Bug Fixes
View changes on GitHub
v2.1.7Compare Source
🐞 Bug Fixes
pnpm.overridesor yarn resolutions to override theviteversion in thevitestpackage - the APIs are compatible.View changes on GitHub
v2.1.6Compare Source
🚀 Features
View changes on GitHub
v2.1.5Compare Source
🐞 Bug Fixes
dangerouslyIgnoreUnhandledErrorswithout base reporter - by @AriPerkkio in #6808 (0bf0a)unhandledRejectioneven when base reporter is not used - by @AriPerkkio in #6812 (8878b)sequence.concurrentfrom theRuntimeConfigtype - by @sheremet-va in #6880 (6af73).poll,.element,.rejects/.resolves, andlocator.*weren't awaited - by @sheremet-va in #6877 (93b67)enteror'a'- by @AriPerkkio in #6848 (487c8)🏎 Performance
View changes on GitHub
v2.1.4Compare Source
🚀 Features
This patch release includes a non-breaking feature for the experimental Browser Mode that doesn't follow SemVer. If you want to avoid picking up releases like this, make sure to pin the Vitest version in your
package.json. See npm's documentation about semver for more information.transformIndexHtml- by @sheremet-va in #6725 (16902)🐞 Bug Fixes
v=queries to setup files imports - by @sheremet-va in #6759 (b8258)toThrowErrorwith empty string parameter - by @shulaoda in #6710 (a6129)test.extendtype exports - by @hi-ogawa in #6707 (e5c38)🏎 Performance
hashto replacecreateHash- by @btea in #6703 (5d07b)View changes on GitHub
v2.1.3Compare Source
🐞 Bug Fixes
toBeNaN, toBeUndefined, toBeNull, toBeTruthy, toBeFalsy- by @hi-ogawa in #6697 (e0027)/mockServiceWorker.jsinstead of/__vitest_msw__- by @sheremet-va in #6687 (4b2ce)toMatchObjectdiff - by @hi-ogawa in #6620 (d289e)<empty line>logs when interleavingconsole.log/error- by @hi-ogawa in #6644 (9ece3)fast-globinstead oftinyglobbyin Vitest - by @sheremet-va in #6688 (70baa)🏎 Performance
View changes on GitHub
v2.1.2Compare Source
🐞 Bug Fixes
Vitest.setServerto postconfigureServerhook to enable import analysis for workspace config loading - by @hi-ogawa in #6584 (e7f35)BenchmarkResult.samplesarray to reduce memory usage - by @hi-ogawa and @AriPerkkio in #6541 (a6407)data:protocol on preview provider file upload - by @userquin in #6501 (e9821)*.astroby default - by @AriPerkkio in #6565 (f8ff7)cleanOnRerun: falseto invalidate previous results - by @AriPerkkio in #6592 (88bde)toBeDefinedwithexpect.poll- by @hi-ogawa in #6562 (f7da6)--cpu-profand--heap-profnot working by default - by @AriPerkkio in #6555 (2e4d894)beforeAllfailed - by @hi-ogawa in #6524 (fb797)onTestFinishedandonTestFailedduringretryandrepeats- by @hi-ogawa in #6609 (c5e29)--standalone- by @hi-ogawa in #6577 (d0bf8)View changes on GitHub
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.