Missing Authorization in vitest - CVE-2026-53633

 

Missing Authorization in vitest - CVE-2026-53633

Published: July 9, 2026


Vulnerability identifier: #VU137282
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-53633
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Vitest
Affected software:
vitest

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to missing authorization in the Browser Mode cdp() API and browser WebSocket RPC when the Browser Mode API is exposed to the network. A remote attacker can invoke raw Chrome DevTools Protocol methods to overwrite vite.config.ts and execute arbitrary code.

Exploitation requires a CDP-capable browser provider and an active browser session. The generated browser runner page exposes the API token, session id, project name, and project root path needed to connect to the browser WebSocket API.


How to mitigate CVE-2026-53633

Install security update from vendor's website.

Sources