{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T00:36:58.722","vulnerabilities":[{"cve":{"id":"CVE-2025-24964","sourceIdentifier":"security-advisories@github.com","published":"2025-02-04T20:15:50.483","lastModified":"2025-12-31T14:50:11.840","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."},{"lang":"es","value":"Vitest es un servidor de pruebas framework desarrollado por Vite. Las versiones afectadas están sujetas a la ejecución remota de código arbitrario cuando se accede a un sitio web malicioso mientras el servidor API de Vitest está escuchando mediante ataques de Cross-site WebSocket hijacking (CSWSH). Cuando la opción `api` está habilitada (la interfaz de usuario de Vitest la habilita), Vitest inicia un servidor WebSocket. Este servidor WebSocket no verificaba el encabezado Origin y no tenía ningún mecanismo de autorización y era vulnerable a ataques CSWSH. Este servidor WebSocket tiene la API `saveTestFile` que puede editar un archivo de prueba y la API `rerun` que puede volver a ejecutar las pruebas. Un atacante puede ejecutar código arbitrario inyectando un código en un archivo de prueba mediante la API `saveTestFile` y luego ejecutando ese archivo llamando a la API `rerun`. Esta vulnerabilidad puede resultar en la ejecución remota de código para los usuarios que usan la API de servicio de Vitest. Este problema se ha corregido en las versiones 1.6.1, 2.1.9 y 3.0.5. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1385"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vitest.dev:vitest:*:*:*:*:*:node.js:*:*","versionEndIncluding":"0.0.125","matchCriteriaId":"FDA59D59-6B5B-4C48-BB88-F625A7445F49"},{"vulnerable":true,"criteria":"cpe:2.3:a:vitest.dev:vitest:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.6.1","matchCriteriaId":"96A37AB4-FCE7-4AC8-9F7A-7A3447CAF755"},{"vulnerable":true,"criteria":"cpe:2.3:a:vitest.dev:vitest:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.1.9","matchCriteriaId":"7864DADB-FD24-4EF0-8A15-C37E9406548D"},{"vulnerable":true,"criteria":"cpe:2.3:a:vitest.dev:vitest:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.5","matchCriteriaId":"6D0A9FFF-0231-4E65-85FD-D64ADDAD0D00"}]}]}],"references":[{"url":"https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://vitest.dev/config/#api","source":"security-advisories@github.com","tags":["Product"]}]}}]}