Missing Authorization in vitest - CVE-2026-53633
Published: July 9, 2026
vitest
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to missing authorization in the Browser Mode cdp() API and browser WebSocket RPC when the Browser Mode API is exposed to the network. A remote attacker can invoke raw Chrome DevTools Protocol methods to overwrite vite.config.ts and execute arbitrary code.
Exploitation requires a CDP-capable browser provider and an active browser session. The generated browser runner page exposes the API token, session id, project name, and project root path needed to connect to the browser WebSocket API.