Skip to main content

Missing Origin Validation in WebSockets

CVE-2025-24964

Severity High
Score 9.6/10

Summary

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. There are no known workarounds for this vulnerability. This issue affects through 0.0.125, 1.0.0-beta0 through 1.6.0, 2.0.0-beta1 through 2.1.8, and 3.0.0-beta1 through 3.0.4.

  • LOW
  • NETWORK
  • HIGH
  • CHANGED
  • REQUIRED
  • NONE
  • HIGH
  • HIGH

CWE-1385 - Missing Origin Validation in WebSockets

The software uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

References

Advisory Timeline

  • Published