CVE-2026-53633
vitest-dev · vitest
Vitest Browser Mode fails to restrict Chrome DevTools Protocol methods, allowing remote attackers to execute arbitrary Node.js code by overwriting configuration files.
Executive summary
A critical vulnerability in Vitest Browser Mode allows unauthenticated remote attackers to achieve arbitrary code execution on the host system.
Vulnerability
The application incorrectly exposes dangerous Chrome DevTools Protocol methods without authorization checks. This enables an unauthenticated remote attacker to perform file system operations and execute arbitrary Node.js code.
Business impact
This vulnerability carries a CVSS score of 9.8, indicating a critical risk to the organization. Successful exploitation allows for full system compromise, potential data exfiltration, and lateral movement within the development or CI/CD environment.
Remediation
Immediate Action: Update the vitest package to versions 3.2.5, 4.1.8, or 5.0.0-beta.4 or later immediately.
Proactive Monitoring: Review build server logs and application configuration change logs for unauthorized modifications to vite.config.ts or suspicious outbound network traffic.
Compensating Controls: Ensure that build environments are isolated and network access to the Vitest dev server is restricted to trusted internal IP addresses using firewall rules.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical nature of this flaw and the potential for complete remote code execution, immediate patching is required. Organizations should prioritize updating all instances of Vitest within their development pipelines to the remediated versions to prevent unauthorized system access.