cvedb.io
CVE-2025-24964
CRITICAL · CVSS 9.6
EPSS exploitation probability: 0%
Published 2025-02-04T20:15:50.483 · Last modified 2026-06-17T08:59:53.550

Summary

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are usin

Affected products

vitest.dev — vitest

Does this affect you?

Add your gear to cvedb and we'll alert you only when vitest.dev ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.