SB2026070952 - Multiple vulnerabilities in vitest



SB2026070952 - Multiple vulnerabilities in vitest

Published: July 9, 2026

Security Bulletin ID SB2026070952
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Missing Authorization (CVE-ID: CVE-2026-53633)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to missing authorization in the Browser Mode cdp() API and browser WebSocket RPC when the Browser Mode API is exposed to the network. A remote attacker can invoke raw Chrome DevTools Protocol methods to overwrite vite.config.ts and execute arbitrary code.

Exploitation requires a CDP-capable browser provider and an active browser session. The generated browser runner page exposes the API token, session id, project name, and project root path needed to connect to the browser WebSocket API.


2) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to read, create, overwrite, or delete arbitrary files accessible to the Vitest process.

The vulnerability exists due to path traversal in Browser Mode provider commands when handling client-supplied file paths through the Browser Mode API. A remote attacker can send crafted command inputs with absolute paths or traversal sequences to read, create, overwrite, or delete arbitrary files accessible to the Vitest process.

This is most relevant when the Browser Mode API is reachable from another machine or origin, or when untrusted test code is relied upon to be contained by the file-access restriction.


Remediation

Install update from vendor's website.