CVE-2025-24964: 
JavaScript vulnerability analysis and mitigation

CVE-2025-24964 is a critical vulnerability discovered in Vitest, a testing framework powered by Vite, disclosed on February 4, 2025. The vulnerability allows arbitrary remote code execution when accessing a malicious website while the Vitest API server is listening, through Cross-site WebSocket hijacking (CSWSH) attacks. This affects Vitest versions up to and including 3.0.4 (NVD).

The vulnerability occurs when the api option is enabled (which happens by default when Vitest UI is enabled), causing Vitest to start a WebSocket server. The critical flaw lies in the WebSocket server's failure to check the Origin header and lack of any authorization mechanism, making it vulnerable to CSWSH attacks. The WebSocket server exposes two critical APIs: saveTestFile for editing test files and rerun for executing tests. An attacker can exploit this by injecting malicious code into a test file using the saveTestFile API and then executing it by calling the rerun API. The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability can result in remote code execution for users utilizing the Vitest serve API. When successfully exploited, an attacker can execute arbitrary code on the target system, potentially leading to complete system compromise, data breaches, and service disruption. The high severity score reflects the significant impact on confidentiality, integrity, and availability of the affected systems (Security Online).

The vulnerability has been patched in Vitest versions 1.6.1, 2.1.9, and 3.0.5. Users are strongly advised to upgrade to these patched versions immediately. There are no known workarounds for this vulnerability, making the upgrade to a patched version the only effective mitigation strategy (TheSecMaster).