Missing Origin Validation in WebSockets
CVE-2025-24964
Summary
Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. There are no known workarounds for this vulnerability. This issue affects through 0.0.125, 1.0.0-beta0 through 1.6.0, 2.0.0-beta1 through 2.1.8, and 3.0.0-beta1 through 3.0.4.
- LOW
- NETWORK
- HIGH
- CHANGED
- REQUIRED
- NONE
- HIGH
- HIGH
CWE-1385 - Missing Origin Validation in WebSockets
The software uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
References
Advisory Timeline
- Published