CVE-2025-24964

Name of the Vulnerable Software and Affected Versions Vitest versions prior to 1.6.1 Vitest versions prior to 2.1.9 Vitest versions prior to 3.0.5

Description The issue is related to arbitrary remote code execution when accessing a malicious website while the Vitest API server is listening, due to Cross-site WebSocket hijacking (CSWSH) attacks. The Vitest API server starts a WebSocket server when the api option is enabled. This server has a saveTestFile API that can edit a test file and a rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting code into a test file using the saveTestFile API and then running that file by calling the rerun API.

Recommendations For Vitest versions prior to 1.6.1, upgrade to version 1.6.1 or later. For Vitest versions prior to 2.1.9, upgrade to version 2.1.9 or later. For Vitest versions prior to 3.0.5, upgrade to version 3.0.5 or later. As a temporary workaround, consider disabling the saveTestFile and rerun APIs until a patch is available. Restrict access to the Vitest API server to minimize the risk of exploitation.