Vitest RCE Vulnerability (CVSS 9.8): Public PoC Disclosed for Testing Tool With 57M Weekly Downloads (CVE-2026-53633)

A critical Vitest RCE vulnerability has put a hugely popular testing framework in the spotlight. Tracked as CVE-2026-53633 and rated a maximum-tier CVSS 9.8, the flaw can hand attackers remote code execution. Because Vitest sees over 57 million weekly npm downloads, the potential blast radius is large. Worse still, full technical details and proof-of-concept exploit code are already public.

How the attack works

The problem lives in Vitest’s Browser Mode. Specifically, it exposes a cdp() API that forwards raw Chrome DevTools Protocol commands. According to the advisory, “CDP is not gated by browser.api.allowWrite, browser.api.allowExec, api.allowWrite, or api.allowExec.”

In plain terms, turning off write and exec protections does not actually stop an attacker. Instead, they can route equivalent actions through CDP. As a result, an attacker can overwrite the project’s vite.config.ts file.

That last step is the dangerous one. The advisory explains that “when Vitest reloads the changed config, attacker-controlled Node.js code executes on the host running Vitest.” In other words, a config overwrite becomes full code execution.

When it turns remote

This Vitest RCE vulnerability grows more dangerous once Browser Mode is exposed to the network. For example, some teams bind the browser API to 0.0.0.0 for remote testing.

In that setup, the generated runner page leaks everything an attacker needs. That includes the API token, the active session id, the project name, and the project root path. Consequently, a remote client can authenticate and trigger the config overwrite while a session is live.

The flaw affects Browser Mode projects using a CDP-capable provider, such as Playwright Chromium. Local-only setups face a smaller window, yet the exposed configurations are the real concern.

Patch now

The maintainers have shipped fixes, and upgrading is the clearest path forward. You can read the full Vitest security advisory for the complete writeup.

Choose the release that matches your branch. The team patched the 4.x line in v4.1.8 and the 3.x line in v3.2.5. Meanwhile, beta users should move to v5.0.0-beta.4.

If you cannot patch immediately, never expose the Browser Mode API to untrusted networks. Above all, treat any internet-facing test server as an urgent priority, since this Vitest RCE vulnerability now has a public exploit.