SB2025082201 - Multiple vulnerabilities in vitest



SB2025082201 - Multiple vulnerabilities in vitest

Published: August 22, 2025 Updated: April 24, 2026

Security Bulletin ID SB2025082201
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Missing Origin Validation in WebSockets (CVE-ID: CVE-2025-24964)

CWE-ID: CWE-1385 - Missing Origin Validation in WebSockets

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to WebSocket server does not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. . A remote attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API.


2) Path traversal (CVE-ID: CVE-2025-24963)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in the __screenshot-error handler on the browser mode HTTP server when handling requests with a user-supplied file parameter. A remote attacker can send a specially crafted request to disclose sensitive information.

Only instances with browser.api.host enabled and exposed on the network are vulnerable.


Remediation

Install update from vendor's website.