Update dependency vitest to v3 [SECURITY]#616
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Member
|
👍 @renovate[bot] Thank you for raising your pull request and contributing to our Community |
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 9, 2025 14:15
d00e1c0 to
a70de53
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 9, 2025 17:11
a70de53 to
ae66f1a
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
March 3, 2025 19:34
824d5ab to
613304b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 11, 2025 10:53
613304b to
e633b77
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 11, 2025 22:59
e633b77 to
7cbd56f
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 13, 2025 15:33
7cbd56f to
b022dab
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 13, 2025 19:54
b022dab to
9ce30ee
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 17, 2025 13:36
9ce30ee to
cf1675a
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 17, 2025 20:32
cf1675a to
a7b4039
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
April 1, 2025 19:27
88ba19b to
dadfa0e
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 24, 2025 08:48
dadfa0e to
74211f4
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 24, 2025 17:24
74211f4 to
8370abb
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 28, 2025 08:30
6cc55c6 to
157f610
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 28, 2025 16:49
157f610 to
145132b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 4, 2025 06:45
145132b to
0b2a326
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 4, 2025 13:34
0b2a326 to
bf72bb0
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 18, 2025 07:02
bf72bb0 to
3e896ff
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
June 22, 2025 15:01
75ddc29 to
23cd8f9
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 22, 2025 17:39
23cd8f9 to
9f1a1ce
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 2, 2025 15:01
9f1a1ce to
9a13681
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 2, 2025 21:00
9a13681 to
ac5edb9
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 28, 2025 11:39
ac5edb9 to
e99cb27
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 28, 2025 17:14
e99cb27 to
17db546
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 10, 2025 13:34
17db546 to
4093d17
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 10, 2025 17:20
4093d17 to
74b6a90
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 13, 2025 16:47
74b6a90 to
87085a6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~1.2.2→~3.2.6Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
CVE-2025-24964 / GHSA-9crc-q9x8-hgqq
More information
Details
Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When
apioption is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has
saveTestFileAPI that can edit a test file andrerunAPI that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by thesaveTestFileAPI and then running that file by calling thererunAPI.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
calcexecutable inPATHenv var (you'll likely have it if you are running on Windows), that application will be executed.Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
When Vitest UI server is listening, arbitrary file can be read and executed
CVE-2026-47429 / GHSA-5xrq-8626-4rwp
More information
Details
Summary
Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.
Impact
Only users that match either of the following conditions are affected:
--api.hostorapi.hostconfig option)Details
The API handler for
/__vitest_attachment__uses the deprecatedisFileServingAllowedincorrectly.https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use
cleanUrlafter the check before file system related operation.Because of this, it is possible to bypass the check by
\\?\\..\\. This is not possible on Linux as Linux errors if a directory named?does not exist.A similar problem exists in other places as well.
That said, this
isFileServingAllowedcheck does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file usingsaveTestFileand running it usingrerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.On the browser mode side, there're
readFile/writeFile/saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.PoC
curl http://localhost:51204/__vitest__/curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN"(TOKEN is the API token)secret.txtthat is outside the project directoryMitigations
Vitest now ships two configuration flags,
allowWriteandallowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhosthost, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See
browser.api.Users who require the full interactive UI on a networked host must explicitly opt in by setting
allowWriteand/orallowExectotrue.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitest-dev/vitest (vitest)
v3.2.6Compare Source
v3.2.5Compare Source
v3.2.4Compare Source
🐞 Bug Fixes
vitest run --watchshould be watch-mode - by @AriPerkkio in #8128 (657e8)--shard x/<count>exceeds count of test files - by @AriPerkkio in #8112 (8a18c)minWorkerswhen onlymaxWorkersspecified - by @AriPerkkio in #8110 (14dc0)task.metashould be available in custom reporter's errors - by @AriPerkkio in #8115 (27df6)View changes on GitHub
v3.2.3Compare Source
🚀 Features
🐞 Bug Fixes
expect.anyreturn type - by @sheremet-va in #8129 (47514)process.send()- by @AriPerkkio in #8125 (dfe81)View changes on GitHub
v3.2.2Compare Source
🚀 Features
🐞 Bug Fixes
createTesterscall on the main thread - by @sheremet-va in #8101 (142c7)vitest-browser-*packages - by @sheremet-va in #8103 (247ef)toEqual- by @dubzzz in #8094 (02ec8)dotreporter to work in non interactive terminals - by @bstephen1 and @AriPerkkio in #7994 (6db9f)View changes on GitHub
v3.2.1Compare Source
🐞 Bug Fixes
DeeplyAllowMatchers- by @sheremet-va in #8078 (30ab4)View changes on GitHub
v3.2.0Compare Source
🚀 Features
ctx.signal- by @sheremet-va in #7878 (e761f)test.name- by @AriPerkkio in #7809 (4af5d)vi.mockObjectto automock any object - by @hi-ogawa and @sheremet-va in #7761 (465bd)watchTriggerPatternsoption - by @sheremet-va in #7778 (a0675)workspacein favor ofprojects- by @sheremet-va and @AriPerkkio in #7923 (41beb)sequence.groupOrderoption - by @sheremet-va in #7852 (d1a1d)connectoption forplaywrightbrowser provider - by @egfx-notifications and @sheremet-va in #7915 (029c0)screenshot.saveoption - by @sheremet-va in #7777 (d9f51)onWritePathoption togithub-actions- by @nwalters512 and @AriPerkkio in #8015 (abd3b)🐞 Bug Fixes
micromatchwithpicomatch- by @sapphi-red in #7951 (df076)anytypes toAsymmetricMatcher<unknown>, withDeeplyAllowMatchers<T>- by @JoshuaKGoldberg in #7016 (8ec44)stackproperties - by @sheremet-va in #7995 (330f9)toJSONserialisation - by @sheremet-va in #8053 (3bdf0)uploadfiles relative to the project root - by @sheremet-va in #8042 (b9a31)thistype tolocators.extend- by @sheremet-va in #8069 (70fb0)--silentvalues properly - by @AriPerkkio in #8055 (8fad7)@types/chai- by @hi-ogawa in #7937 (525f5)vitest listcommand - by @sheremet-va in #7933 (ba6da)__vite_ssr_exportName__- by @hi-ogawa in #7925 (76091)getWorkerMemoryLimitpriority for vmForks - by @pengooseDev in #7960 (5a91e)View changes on GitHub
v3.1.4Compare Source
🐞 Bug Fixes
View changes on GitHub
v3.1.3Compare Source
🐞 Bug Fixes
inline: trueis set - by @sheremet-va in #7856 (a83f3)--merge-reportsto show each total run times - by @AriPerkkio in #7877 (d613b)View changes on GitHub
v3.1.2Compare Source
🐞 Bug Fixes
chaivariable invitest/globals(fix: #7474) - by @Jay-Karia in #7771 and #7474 (d9297)test.excludewhen same object passed incoverage.exclude- by @AriPerkkio in #7774 (c3751)envionmentOptions- by @hi-ogawa in #7795 (67430)awaitprofiler calls - by @AriPerkkio in #7763 (795a6)🏎 Performance
View changes on GitHub
v3.1.1Compare Source
🐞 Bug Fixes
View changes on GitHub
v3.1.0Compare Source
🚀 Features
%$option to add number of the test to its title - by @kemuridama in #7412 (df347)diff.maxDepthoption and set non-Infinityvalue as a default to reduce crash - by @hi-ogawa in #7481 (eacab)test.each/fortitle formatting - by @hi-ogawa in #7522 (ea3d6)--configLoaderCLI option - by @Carnageous and @hi-ogawa in #7574 (2a852)vitest-browser-littovitest init browserand docs - by @EskiMojo14 and @hi-ogawa in #7705 (5659a)and,orandfilterlocators - by @sheremet-va and @AriPerkkio in #7463 (63949)--silent=passed-onlyto log failed tasks only - by @AriPerkkio in #7530 (f9e1c)test.scopedto overridetest.extendfixtures per-suite - by @sheremet-va in #7233 (e5851)context.skip(boolean)- by @sheremet-va and @AriPerkkio in #7659 (6adec)🐞 Bug Fixes
diff.expand: falseas default - by @hi-ogawa in #7697 (f3420)--hideSkippedTestsshould hide suites too - by @AriPerkkio in #7695 (ba9b5)🏎 Performance
View changes on GitHub
v3.0.9Compare Source
🐞 Bug Fixes
ctx.skip()asnever- by @sirlancelot in #7608 (09f35)resolveConfigAPI - by @hi-ogawa in #7623 (db14a)toHaveBeenCalledWith(asymmetricMatcher)withundefinedarguments - by @hi-ogawa in #7624 (0fb21)getState().testPathduring collection with no isolation - by @hi-ogawa in #7640 (3fb3f)Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.