chore(deps): update dependency vitest to v3 [security]#25
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
4c91bc6 to
55f964d
Compare
55f964d to
46f48eb
Compare
7fbb36e to
a43f4e1
Compare
a43f4e1 to
1aea6d7
Compare
Coverage Report
File CoverageNo changed files found. |
1aea6d7 to
b6e4e1b
Compare
b6e4e1b to
b94eb64
Compare
d150cd8 to
69ada20
Compare
69ada20 to
09c5278
Compare
09c5278 to
9edc928
Compare
50bae53 to
17b5724
Compare
17b5724 to
ab63779
Compare
ab63779 to
73e54db
Compare
73e54db to
b1ccf56
Compare
b1ccf56 to
643261c
Compare
643261c to
692c614
Compare
692c614 to
d8a3d0c
Compare
d8a3d0c to
7454249
Compare
7454249 to
e16231d
Compare
e16231d to
b691afb
Compare
e64d659 to
2c399f3
Compare
2c399f3 to
daaa17a
Compare
454585f to
ec06d3a
Compare
ec06d3a to
87f4a43
Compare
87f4a43 to
0547393
Compare
0547393 to
2adcbcc
Compare
2adcbcc to
13e3038
Compare
e7c9587 to
7e4c986
Compare
385a099 to
1bba652
Compare
ece8b35 to
732e770
Compare
732e770 to
485ab6f
Compare
485ab6f to
a24ecd9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.3.1→^3.0.0Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
CVE-2025-24964 / GHSA-9crc-q9x8-hgqq
More information
Details
Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When
apioption is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has
saveTestFileAPI that can edit a test file andrerunAPI that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by thesaveTestFileAPI and then running that file by calling thererunAPI.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
calcexecutable inPATHenv var (you'll likely have it if you are running on Windows), that application will be executed.Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
When Vitest UI server is listening, arbitrary file can be read and executed
CVE-2026-47429 / GHSA-5xrq-8626-4rwp
More information
Details
Summary
Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.
Impact
Only users that match either of the following conditions are affected:
--api.hostorapi.hostconfig option)Details
The API handler for
/__vitest_attachment__uses the deprecatedisFileServingAllowedincorrectly.https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use
cleanUrlafter the check before file system related operation.Because of this, it is possible to bypass the check by
\\?\\..\\. This is not possible on Linux as Linux errors if a directory named?does not exist.A similar problem exists in other places as well.
That said, this
isFileServingAllowedcheck does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file usingsaveTestFileand running it usingrerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.On the browser mode side, there're
readFile/writeFile/saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.PoC
curl http://localhost:51204/__vitest__/curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN"(TOKEN is the API token)secret.txtthat is outside the project directoryMitigations
Vitest now ships two configuration flags,
allowWriteandallowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhosthost, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See
browser.api.Users who require the full interactive UI on a networked host must explicitly opt in by setting
allowWriteand/orallowExectotrue.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitest-dev/vitest (vitest)
v3.2.6Compare Source
v3.2.5Compare Source
v3.2.4Compare Source
🐞 Bug Fixes
vitest run --watchshould be watch-mode - by @AriPerkkio in #8128 (657e8)--shard x/<count>exceeds count of test files - by @AriPerkkio in #8112 (8a18c)minWorkerswhen onlymaxWorkersspecified - by @AriPerkkio in #8110 (14dc0)task.metashould be available in custom reporter's errors - by @AriPerkkio in #8115 (27df6)View changes on GitHub
v3.2.3Compare Source
🚀 Features
🐞 Bug Fixes
expect.anyreturn type - by @sheremet-va in #8129 (47514)process.send()- by @AriPerkkio in #8125 (dfe81)View changes on GitHub
v3.2.2Compare Source
🚀 Features
🐞 Bug Fixes
createTesterscall on the main thread - by @sheremet-va in #8101 (142c7)vitest-browser-*packages - by @sheremet-va in #8103 (247ef)toEqual- by @dubzzz in #8094 (02ec8)dotreporter to work in non interactive terminals - by @bstephen1 and @AriPerkkio in #7994 (6db9f)View changes on GitHub
v3.2.1Compare Source
🐞 Bug Fixes
DeeplyAllowMatchers- by @sheremet-va in #8078 (30ab4)View changes on GitHub
v3.2.0Compare Source
🚀 Features
ctx.signal- by @sheremet-va in #7878 (e761f)test.name- by @AriPerkkio in #7809 (4af5d)vi.mockObjectto automock any object - by @hi-ogawa and @sheremet-va in #7761 (465bd)watchTriggerPatternsoption - by @sheremet-va in #7778 (a0675)workspacein favor ofprojects- by @sheremet-va and @AriPerkkio in #7923 (41beb)sequence.groupOrderoption - by @sheremet-va in #7852 (d1a1d)connectoption forplaywrightbrowser provider - by @egfx-notifications and @sheremet-va in #7915 (029c0)screenshot.saveoption - by @sheremet-va in #7777 (d9f51)onWritePathoption togithub-actions- by @nwalters512 and @AriPerkkio in #8015 (abd3b)🐞 Bug Fixes
micromatchwithpicomatch- by @sapphi-red in #7951 (df076)anytypes toAsymmetricMatcher<unknown>, withDeeplyAllowMatchers<T>- by @JoshuaKGoldberg in #7016 (8ec44)stackproperties - by @sheremet-va in #7995 (330f9)toJSONserialisation - by @sheremet-va in #8053 (3bdf0)uploadfiles relative to the project root - by @sheremet-va in #8042 (b9a31)thistype tolocators.extend- by @sheremet-va in #8069 (70fb0)--silentvalues properly - by @AriPerkkio in #8055 (8fad7)@types/chai- by @hi-ogawa in #7937 (525f5)vitest listcommand - by @sheremet-va in #7933 (ba6da)__vite_ssr_exportName__- by @hi-ogawa in #7925 (76091)getWorkerMemoryLimitpriority for vmForks - by @pengooseDev in #7960 (5a91e)View changes on GitHub
v3.1.4Compare Source
🐞 Bug Fixes
View changes on GitHub
v3.1.3Compare Source
🐞 Bug Fixes
inline: trueis set - by @sheremet-va in #7856 (a83f3)--merge-reportsto show each total run times - by @AriPerkkio in #7877 (d613b)View changes on GitHub
v3.1.2Compare Source
🐞 Bug Fixes
chaivariable invitest/globals(fix: #7474) - by @Jay-Karia in #7771 and #7474 (d9297)test.excludewhen same object passed incoverage.exclude- by @AriPerkkio in #7774 (c3751)envionmentOptions- by @hi-ogawa in #7795 (67430)awaitprofiler calls - by @AriPerkkio in #7763 (795a6)🏎 Performance
View changes on GitHub
v3.1.1Compare Source
🐞 Bug Fixes
View changes on GitHub
v3.1.0Compare Source
🚀 Features
%$option to add number of the test to its title - by @kemuridama in #7412 (df347)diff.maxDepthoption and set non-Infinityvalue as a default to reduce crash - by @hi-ogawa in #7481 (eacab)test.each/fortitle formatting - by @hi-ogawa in #7522 (ea3d6)--configLoaderCLI option - by @Carnageous and @hi-ogawa in #7574 (2a852)vitest-browser-littovitest init browserand docs - by @EskiMojo14 and @hi-ogawa in #7705 (5659a)and,orandfilterlocators - by @sheremet-va and @AriPerkkio in #7463 (63949)--silent=passed-onlyto log failed tasks only - by @AriPerkkio in #7530 (f9e1c)test.scopedto overridetest.extendfixtures per-suite - by @sheremet-va in #7233 (e5851)context.skip(boolean)- by @sheremet-va and @AriPerkkio in #7659 (6adec)🐞 Bug Fixes
diff.expand: falseas default - by @hi-ogawa in #7697 (f3420)--hideSkippedTestsshould hide suites too - by @AriPerkkio in #7695 (ba9b5)🏎 Performance
View changes on GitHub
v3.0.9Compare Source
🐞 Bug Fixes
ctx.skip()asnever- by @sirlancelot in #7608 (09f35)resolveConfigAPI - by @hi-ogawa in #7623 (db14a)toHaveBeenCalledWith(asymmetricMatcher)withundefinedarguments - by @hi-ogawa in #7624 (0fb21)getState().testPathduring collection with no isolation - by @hi-ogawa in #7640 (3fb3f)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.