8 matches found
EUVD-2025-0224
Malicious code in bioql PyPI...
Remote Code Execution (RCE)
Vitest is vulnerable to Remote Code Execution RCE. The vulnerability is due to the WebSocket server not validating the Origin header and lacking an authorization mechanism, allowing an attacker to inject and execute arbitrary code via the saveTestFile and rerun APIs...
CVE-2025-24963
Vitest Browser Mode Local File Read (CVE-2025-24963): The __screenshot-error HTTP handler in Vitest’s browser mode can serve arbitrary files if the server is exposed to the network (browser.api.host: true). Root cause tied to commit 2d62051. Impact is reading arbitrary filesystem content; remedia...
CVE-2025-24963 Browser mode serves arbitrary files in vitest
Vitest is a testing framework powered by Vite. The screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get th...
CVE-2025-24963 Browser mode serves arbitrary files in vitest
Vitest is a testing framework powered by Vite. The screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get th...
@armit/eslint-config-bases (>=0.1.1 <=0.1.5), @bpinternal/expresso (=0.2.4) +44 more potentially affected by CVE-2025-24964 via vitest (>=1.0.1 <=1.6.0)
vitest NPM version =1.0.1, =0.1.1, =1.2.3, =1.7.0, =1.7.0, =1.7.0, =1.0.295, =8.22.0, =0.0.0, =1.4.0, =4.7.0, =1.0.0, =1.1.5 and more Source cves: CVE-2025-24964 Source advisory: OSV:GHSA-9CRC-Q9X8-HGQQ...
modern-web-swiss-army-knife (>=2.7.0 <=2.7.1), nuxt-spec (>=0.0.1 <=0.0.2) potentially affected by CVE-2025-24964 via vitest (>=3.0.2 <=3.0.4)
vitest NPM version =3.0.2, =2.7.0, =0.0.1, =0.0.2 Source cves: CVE-2025-24964 Source advisory: OSV:GHSA-9CRC-Q9X8-HGQQ...
@accelint/vitest-config (=0.1.4), @ai16z/plugin-evm (>=0.1.5-alpha.2 <=0.1.5-alpha.5) +88 more potentially affected by CVE-2025-24964 via vitest (>=2.0.1 <=2.1.8)
vitest NPM version =2.0.1, =0.1.5-alpha.2, =0.1.5-alpha.0, =0.1.5-alpha.0, =0.1.5-alpha.0, =0.0.0, =0.0.1, =0.1.1, =1.2.1, =0.0.1, =0.1.8-alpha.1, =0.1.9 and more Source cves: CVE-2025-24964 Source advisory: OSV:GHSA-9CRC-Q9X8-HGQQ...