CVE-2025-24964
Published: 04 February 2025
Summary
CVE-2025-24964 is a critical-severity Missing Origin Validation in WebSockets (CWE-1385) vulnerability in Vitest.Dev Vitest. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring identification, reporting, and patching of the flaw in Vitest's WebSocket server lacking Origin validation and authorization.
Prevents Cross-site WebSocket hijacking attacks by enforcing authenticity mechanisms such as Origin header checks on WebSocket communications sessions.
Enforces access control and authorization on exposed WebSocket APIs like saveTestFile and rerun to block unauthorized code injection and execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables client-side RCE via CSWSH on local WebSocket server when user visits malicious site; directly maps to exploitation for client execution and malicious link delivery requiring user interaction.
NVD Description
Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest…
more
UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-24964 is an arbitrary remote code execution vulnerability in Vitest, a testing framework powered by Vite. The flaw affects versions prior to the patches in 1.6.1, 2.1.9, and 3.0.5, specifically when the `api` option is enabled, as in Vitest UI. In this configuration, Vitest starts a WebSocket server that fails to validate the Origin header or implement any authorization, exposing it to Cross-site WebSocket Hijacking (CSWSH) attacks.
Attackers can exploit this vulnerability by luring victims to a malicious website while the Vitest API server is listening on the local network. No privileges are required, but user interaction is needed to visit the site. Via CSWSH, the attacker hijacks the WebSocket connection, invokes the `saveTestFile` API to inject arbitrary code into a test file, and then calls the `rerun` API to execute it, resulting in remote code execution on the developer's machine. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its high severity due to network accessibility, low complexity, and comprehensive impact across confidentiality, integrity, and availability.
The GitHub security advisory (GHSA-9crc-q9x8-hgqq) and release notes confirm the issue is patched in Vitest 1.6.1, 2.1.9, and 3.0.5, with users advised to upgrade immediately. No workarounds are known, and the Vitest configuration documentation highlights the `api` option's role in enabling the vulnerable server. Source code references show the lacking Origin checks and exposed APIs in prior versions.
Details
- CWE(s)