#VU114354 Missing Origin Validation in WebSockets in vitest - CVE-2025-24964
Published: August 22, 2025
Vulnerability identifier: #VU114354
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-24964
CWE-ID: CWE-1385
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
vitest
vitest
Software vendor:
Vitest
Vitest
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to WebSocket server does not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. . A remote attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API.
Remediation
Install updates from vendor's website.
External links
- https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
- https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
- https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq
- https://vitest.dev/config/#api