2 matches found
CVE-2025-24964
Vitest CVE-2025-24964 is a remotely exploitable CSWSH (Cross-site WebSocket hijacking) vulnerability in the Vitest API server when api is enabled. The WebSocket server did not validate Origin or enforce authorization, exposing saveTestFile (edits test files) and rerun (executes tests) APIs. An at...
CVE-2025-24963
CVE-2025-24963 concerns Vitest browser-mode HTTP server. The vulnerability arises from the __screenshot-error handler, which can respond with arbitrary files from the host filesystem when the browser-mode server is exposed to the network (e.g., via browser.api.host: true). Under these conditions,...