CVE-2025-24964

Summary

CVE-2025-24964 is a newly discovered vulnerability affecting Vitest, a testing framework powered by Vite. The issue allows for arbitrary remote code execution through Cross-site WebSocket hijacking (CSWSH) attacks. When the `api` option is enabled, Vitest starts a WebSocket server, which does not check the Origin header and lacks any authorization mechanism. Malicious actors can exploit this vulnerability by injecting code into a test file using the `saveTestFile` API and then rerun the tests using the `rerun` API. This can lead to remote code execution for users utilizing Vitest serve API. Upgrades to versions 1.6.1, 2.1.9, and 3.0.5 are recommended as these patches have addressed the issue. No known workarounds are available at present.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.