CVE-2025-24964

CVE-2025-24964 is an arbitrary remote code execution vulnerability in Vitest, a testing framework powered by Vite. The flaw affects versions prior to the patches in 1.6.1, 2.1.9, and 3.0.5, specifically when the `api` option is enabled, as in Vitest UI. In this configuration, Vitest starts a WebSocket server that fails to validate the Origin header or implement any authorization, exposing it to Cross-site WebSocket Hijacking (CSWSH) attacks.

Attackers can exploit this vulnerability by luring victims to a malicious website while the Vitest API server is listening on the local network. No privileges are required, but user interaction is needed to visit the site. Via CSWSH, the attacker hijacks the WebSocket connection, invokes the `saveTestFile` API to inject arbitrary code into a test file, and then calls the `rerun` API to execute it, resulting in remote code execution on the developer's machine. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its high severity due to network accessibility, low complexity, and comprehensive impact across confidentiality, integrity, and availability.

The GitHub security advisory (GHSA-9crc-q9x8-hgqq) and release notes confirm the issue is patched in Vitest 1.6.1, 2.1.9, and 3.0.5, with users advised to upgrade immediately. No workarounds are known, and the Vitest configuration documentation highlights the `api` option's role in enabling the vulnerable server. Source code references show the lacking Origin checks and exposed APIs in prior versions.