Update dependency vitest to v1.6.1 [SECURITY]#55
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #55 +/- ##
=======================================
Coverage 47.16% 47.16%
=======================================
Files 71 71
Lines 1798 1798
Branches 48 48
=======================================
Hits 848 848
Misses 948 948
Partials 2 2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 9, 2025 16:10
585e36c to
8b86302
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
March 11, 2025 23:50
566183c to
962b7dc
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
March 19, 2025 23:58
cda1bcf to
1a2858f
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
April 10, 2025 00:09
840e86a to
995f243
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 25, 2025 13:44
995f243 to
ec826f6
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 24, 2025 12:06
ec826f6 to
32e4f2b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
June 6, 2025 17:46
afc09fe to
18f8c1b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 5, 2025 08:07
18f8c1b to
7d95dff
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
August 15, 2025 00:13
a5e4a1a to
e4410bd
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 23, 2025 08:04
e4410bd to
c3c15b0
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
September 1, 2025 05:18
c3c15b0 to
ea3267b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
September 26, 2025 20:00
ea3267b to
ed757b6
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
October 25, 2025 12:10
ed757b6 to
b25cd67
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
November 19, 2025 22:51
3b80f81 to
b481220
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
December 4, 2025 23:45
b481220 to
53de5e8
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
January 1, 2026 00:02
53de5e8 to
759f7db
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
January 9, 2026 07:41
759f7db to
c0f97e0
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
January 24, 2026 04:07
f9cf3ed to
0d0dac2
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 3, 2026 12:04
0d0dac2 to
afe838b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 13, 2026 11:48
afe838b to
b5dfe55
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 19, 2026 08:12
b5dfe55 to
8c443cc
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
March 14, 2026 09:59
1a90ad0 to
2e38edf
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 15, 2026 15:05
2e38edf to
c8aa1da
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 30, 2026 03:08
c8aa1da to
433cee0
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 13, 2026 07:04
433cee0 to
05c332e
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 23, 2026 03:30
05c332e to
fec9fa2
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
June 4, 2026 08:11
386f35c to
78ecc97
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 13, 2026 03:46
78ecc97 to
b87212b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 17, 2026 23:17
b87212b to
ffb47e4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.6.0→1.6.1Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
CVE-2025-24964 / GHSA-9crc-q9x8-hgqq
More information
Details
Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When
apioption is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has
saveTestFileAPI that can edit a test file andrerunAPI that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by thesaveTestFileAPI and then running that file by calling thererunAPI.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
calcexecutable inPATHenv var (you'll likely have it if you are running on Windows), that application will be executed.Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitest-dev/vitest (vitest)
v1.6.1Compare Source
This release includes security patches for:
🐞 Bug Fixes
View changes on GitHub
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.