CVE-2025-24964: Critical Vulnerability in vitest.dev vitest

CVE-2025-24964 is a critical vulnerability affecting the vitest testing framework powered by Vite. The vulnerability has a CVSS score of 9.6, indicating a severe risk to organizations. This vulnerability allows arbitrary remote code execution when a user accesses a malicious website while the Vitest API server is listening, making it susceptible to Cross-site WebSocket hijacking (CSWSH) attacks. The urgency for defenders to address this vulnerability is high, as it poses a significant threat to system integrity and confidentiality.

When the `api` option is enabled, which is standard in the Vitest UI, a WebSocket server is initiated. Unfortunately, this server fails to validate the Origin header and lacks any authorization mechanisms, rendering it vulnerable to CSWSH attacks. Attackers can exploit this vulnerability by using the `saveTestFile` API to inject malicious code into a test file, followed by executing that file through the `rerun` API. This sequence can result in remote code execution for users relying on the Vitest serve API.

The vulnerability has been patched in versions 1.6.1, 2.1.9, and 3.0.5. Users are strongly advised to upgrade to these versions or later. Currently, there are no known workarounds for this vulnerability, making immediate patching critical to prevent potential exploitation.

Organizations must prioritize patching immediately to mitigate the risks associated with this vulnerability. The potential for remote code execution poses a significant threat that could lead to unauthorized access and data breaches.

Vulnerability Details

The official description of CVE-2025-24964 indicates that affected versions of vitest are vulnerable to arbitrary remote code execution due to Cross-site WebSocket hijacking. The vulnerability is classified under CWE-1385. The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, confirming the attack vector is network-based, with low complexity and no privileges required for exploitation.

The vulnerability affects the vitest component from vitest.dev, and it was published on February 4, 2025. Given the severity level of critical, organizations utilizing this framework must take immediate action.

Technical Analysis

The root cause of this vulnerability lies in the improper handling of WebSocket connections. The Vitest server's failure to verify the Origin header allows malicious actors to hijack WebSocket connections and inject code. The attack vector is network-based, and the complexity is low, requiring no special privileges. User interaction is necessary for exploitation, as users must access a malicious website while the server is running.

The impacts of this vulnerability are severe, with high confidentiality, integrity, and availability impacts. An attacker could gain control over the user's environment, executing arbitrary code and potentially compromising sensitive data.

Risk & Impact Analysis

Risk to organizations includes the potential for significant data breaches and system compromises. The blast radius could extend beyond individual users if exploited effectively, leading to systemic vulnerabilities. Given the critical nature of the CVSS score, organizations must assess their exposure and prioritize remediation efforts during their patch cycles.

The urgency for addressing CVE-2025-24964 is critical, as exploitation could occur rapidly. Organizations should implement monitoring strategies to detect any unusual activity associated with the Vitest API server.

Exploitation Status

Affected Versions

The vulnerability affects all vitest versions prior to the remediation. Specifically, versions prior to 1.6.1, 2.1.9, and 3.0.5 are vulnerable. Users must upgrade to these versions or later to mitigate the risk.

Mitigation & Remediation

Organizations should upgrade to vitest versions 1.6.1, 2.1.9, or 3.0.5 immediately. Additionally, implementing monitoring solutions to track WebSocket usage can help identify potential misuse.

For those unable to upgrade immediately, it is critical to disable the `api` option to prevent the WebSocket server from being initiated until the upgrade can be completed. Organizations can also consider configuring firewalls to restrict access to the Vitest serve API.

Detection Guidance

Organizations should monitor logs for unusual WebSocket connection attempts, especially from untrusted sources. Behavioral anomalies, such as unexpected API calls to `saveTestFile` and `rerun`, should be flagged and investigated.

AppSecure Threat Intelligence Insight

CVE-2025-24964 highlights the critical need for robust security practices within testing frameworks. As vulnerabilities like this can have far-reaching impacts, organizations should revisit their security assessments and implement a comprehensive security testing strategy.

For further guidance, organizations can refer to our penetration testing services, which can help identify similar vulnerabilities and enhance security posture.

Additionally, organizations should stay informed about emerging threats by reviewing our blog on penetration testing methodology and best practices.

By implementing the necessary patches and monitoring strategies, organizations can reduce the risk associated with CVE-2025-24964 and protect their applications from future vulnerabilities.