fkie_cve-2025-24964
Vulnerability from fkie_nvd
Published
2025-02-04 20:15
Modified
2025-02-04 20:15
Severity ?
Summary
Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
Vendor | Product | Version |
---|
{ "cveTags": [], "descriptions": [ { "lang": "en", "value": "Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability." }, { "lang": "es", "value": "Vitest es un servidor de pruebas framework desarrollado por Vite. Las versiones afectadas est\u00e1n sujetas a la ejecuci\u00f3n remota de c\u00f3digo arbitrario cuando se accede a un sitio web malicioso mientras el servidor API de Vitest est\u00e1 escuchando mediante ataques de Cross-site WebSocket hijacking (CSWSH). Cuando la opci\u00f3n `api` est\u00e1 habilitada (la interfaz de usuario de Vitest la habilita), Vitest inicia un servidor WebSocket. Este servidor WebSocket no verificaba el encabezado Origin y no ten\u00eda ning\u00fan mecanismo de autorizaci\u00f3n y era vulnerable a ataques CSWSH. Este servidor WebSocket tiene la API `saveTestFile` que puede editar un archivo de prueba y la API `rerun` que puede volver a ejecutar las pruebas. Un atacante puede ejecutar c\u00f3digo arbitrario inyectando un c\u00f3digo en un archivo de prueba mediante la API `saveTestFile` y luego ejecutando ese archivo llamando a la API `rerun`. Esta vulnerabilidad puede resultar en la ejecuci\u00f3n remota de c\u00f3digo para los usuarios que usan la API de servicio de Vitest. Este problema se ha corregido en las versiones 1.6.1, 2.1.9 y 3.0.5. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad." } ], "id": "CVE-2025-24964", "lastModified": "2025-02-04T20:15:50.483", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary" } ] }, "published": "2025-02-04T20:15:50.483", "references": [ { "source": "security-advisories@github.com", "url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46" }, { "source": "security-advisories@github.com", "url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76" }, { "source": "security-advisories@github.com", "url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq" }, { "source": "security-advisories@github.com", "url": "https://vitest.dev/config/#api" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-1385" } ], "source": "security-advisories@github.com", "type": "Primary" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.