CVE-2025-24964

{"id": "CVE-2025-24964", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-02-04T20:15:50.483", "references": [{"url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://vitest.dev/config/#api", "tags": ["Product"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1385"}]}], "descriptions": [{"lang": "en", "value": "Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Vitest es un servidor de pruebas framework desarrollado por Vite. Las versiones afectadas est\u00e1n sujetas a la ejecuci\u00f3n remota de c\u00f3digo arbitrario cuando se accede a un sitio web malicioso mientras el servidor API de Vitest est\u00e1 escuchando mediante ataques de Cross-site WebSocket hijacking (CSWSH). Cuando la opci\u00f3n `api` est\u00e1 habilitada (la interfaz de usuario de Vitest la habilita), Vitest inicia un servidor WebSocket. Este servidor WebSocket no verificaba el encabezado Origin y no ten\u00eda ning\u00fan mecanismo de autorizaci\u00f3n y era vulnerable a ataques CSWSH. Este servidor WebSocket tiene la API `saveTestFile` que puede editar un archivo de prueba y la API `rerun` que puede volver a ejecutar las pruebas. Un atacante puede ejecutar c\u00f3digo arbitrario inyectando un c\u00f3digo en un archivo de prueba mediante la API `saveTestFile` y luego ejecutando ese archivo llamando a la API `rerun`. Esta vulnerabilidad puede resultar en la ejecuci\u00f3n remota de c\u00f3digo para los usuarios que usan la API de servicio de Vitest. Este problema se ha corregido en las versiones 1.6.1, 2.1.9 y 3.0.5. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-12-31T14:50:11.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vitest.dev:vitest:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FDA59D59-6B5B-4C48-BB88-F625A7445F49", "versionEndIncluding": "0.0.125"}, {"criteria": "cpe:2.3:a:vitest.dev:vitest:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "96A37AB4-FCE7-4AC8-9F7A-7A3447CAF755", "versionEndExcluding": "1.6.1", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:vitest.dev:vitest:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7864DADB-FD24-4EF0-8A15-C37E9406548D", "versionEndExcluding": "2.1.9", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:vitest.dev:vitest:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6D0A9FFF-0231-4E65-85FD-D64ADDAD0D00", "versionEndExcluding": "3.0.5", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}