A critical security vulnerability (CVE-2025-24964) has been discovered in Vitest, a popular unit testing framework, which could allow attackers to execute arbitrary code on the machines of developers. The vulnerability, with a CVSS score of 9.7, affects Vitest versions up to and including 3.0.4.
The vulnerability stems from a Cross-site WebSocket Hijacking (CSWSH) issue in Vitest’s API server. When the api option is enabled, Vitest starts a WebSocket server that is vulnerable to CSWSH attacks. This server lacks proper Origin header checks and authorization mechanisms, allowing attackers to hijack WebSocket connections.
By exploiting this vulnerability, an attacker can inject malicious code into a test file using the saveTestFile API and then execute that code by calling the rerun API. This could lead to remote code execution on the developer’s machine, potentially compromising sensitive information and systems.
To illustrate the impact, a proof-of-concept (PoC) exploit demonstrates how simply visiting a malicious webpage can trigger code execution. If the system has the calc executable in its PATH environment variable (which is common on Windows), the attacker can make it launch without any user interaction.
The maintainers of Vitest have addressed this vulnerability in versions 1.6.1, 2.1.9, and 3.0.5. Users of Vitest are strongly urged to update to a patched version immediately.
Related Posts:
- Python Developers Targeted in Massive Supply Chain Attack; Over 170,000 Users Affected
- PrestaShop Websites Under Attack: GTAG Websocket Skimmer Steals Credit Card Data
- Researcher Exposes WebSockets’ Role in Credit Card Skimming
- XSS Exploitation Tool: the exploitation of Cross-Site Scripting vulnerabilities
