CVE-2025-24964: Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
References
- github.com/advisories/GHSA-9crc-q9x8-hgqq
- github.com/vitest-dev/vitest
- github.com/vitest-dev/vitest/commit/191ef9e34c867d0efd04f49b3d38193a68e825dc
- github.com/vitest-dev/vitest/commit/7ce9fbb4972d45c6fd34c843645ef6f549bbb241
- github.com/vitest-dev/vitest/commit/e0fe1d81e2d4bcddb1c6ca3c5c3970d8ba697383
- github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq
- nvd.nist.gov/vuln/detail/CVE-2025-24964
Code Behaviors & Features
Detect and mitigate CVE-2025-24964 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →