CVE-2026-53633

Name of the Vulnerable Software and Affected Versions Vitest (affected versions not specified)

Description Browser Mode exposes a cdp() API that forwards raw Chrome DevTools Protocol (CDP) methods over the browser WebSocket RPC. This API is not restricted by the browser.api.allowWrite, browser.api.allowExec, api.allowWrite, or api.allowExec settings. Consequently, disabling write and execution operations does not prevent a client from using CDP to perform equivalent actions.

When the Browser Mode API is exposed to the network (e.g., using --browser.api.host=0.0.0.0), the generated browser runner page leaks metadata including the browser API token, active session id, project name, and project root path. A remote attacker can use this information to authenticate to the browser WebSocket API and call the sendCdpEvent RPC method. By utilizing CDP Page.setDownloadBehavior and Runtime.evaluate, an attacker can overwrite the vite.config.ts file in the project root. Since Vitest reloads the configuration upon change, this leads to remote code execution of attacker-controlled Node.js code on the host. Additionally, the CDP bridge allows direct JavaScript execution via Runtime.evaluate and potential reading of local files through file:// URLs.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.