CVE-2026-53633

vitest-dev · vitest

Vitest Browser Mode fails to restrict Chrome DevTools Protocol methods, allowing remote attackers to execute arbitrary Node.js code by overwriting configuration files.

Executive summary

A critical vulnerability in Vitest Browser Mode allows unauthenticated remote attackers to achieve arbitrary code execution on the host system.

Vulnerability

The application incorrectly exposes dangerous Chrome DevTools Protocol methods without authorization checks. This enables an unauthenticated remote attacker to perform file system operations and execute arbitrary Node.js code.

Business impact

This vulnerability carries a CVSS score of 9.8, indicating a critical risk to the organization. Successful exploitation allows for full system compromise, potential data exfiltration, and lateral movement within the development or CI/CD environment.

Remediation

Immediate Action: Update the vitest package to versions 3.2.5, 4.1.8, or 5.0.0-beta.4 or later immediately.

Proactive Monitoring: Review build server logs and application configuration change logs for unauthorized modifications to vite.config.ts or suspicious outbound network traffic.

Compensating Controls: Ensure that build environments are isolated and network access to the Vitest dev server is restricted to trusted internal IP addresses using firewall rules.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the critical nature of this flaw and the potential for complete remote code execution, immediate patching is required. Organizations should prioritize updating all instances of Vitest within their development pipelines to the remediated versions to prevent unauthorized system access.