Vitest: We've released patches for a critical security vulnerability. We strongly encourage projects to upgrade to versions 1.6.1, 2.1.9, or 3.0.5 as soon as possible.

See full post

Vitest vitest.dev
We've released patches for a critical security vulnerability. We strongly encourage projects to upgrade to versions 1.6.1, 2.1.9, or 3.0.5 as soon as possible.
Remote Code Execution when accessing a malicious website while Vitest API server is listening

### Summary Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. ### Details When [`api` o...

github.com
Feb 4, 2025 08:18
0 reposts 1 quote 0 likes

View on Bluesky Show all post labels
Vitest vitest.dev · Feb 4
The patched versions also include patches for a browser mode security vulnerability.
Browser mode serves arbitrary files

### Summary `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`]...

github.com

View on Bluesky Show all post labels
Vitest vitest.dev · Feb 4
🙏
- AriPerkkio ariperkkio.dev · Feb 4
  Huge thanks to @sapphi.red for helping the @vitest.dev team with these findings. Perfect collaboration between projects. 🤝
View on Bluesky Show all post labels

An unhandled error has occurred. Reload 🗙