Vulnerability	Vulnerable Version
M Missing Origin Validation in WebSockets vitest is a Next generation testing framework powered by Vite Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets through the WebSocket server setup, due to missing checks of the Origin header and authorization mechanism. An attacker can execute arbitrary code by injecting malicious code into a test file using the `saveTestFile` API and subsequently executing the file via the `rerun` API. How to fix Missing Origin Validation in WebSockets? Upgrade `vitest` to version 1.6.1, 2.1.9, 3.0.5 or higher.	>=1.0.0 <1.6.1>=2.0.0 <2.1.9<3.0.5
H Directory Traversal vitest is a Next generation testing framework powered by Vite Affected versions of this package are vulnerable to Directory Traversal through the `__screenshot-error` handler on the browser mode HTTP server. An attacker can access and retrieve the content of arbitrary files by sending a specially crafted request to the server. Note: This is only exploitable if the server is explicitly exposed to the network with `browser.api.host: true`. How to fix Directory Traversal? Upgrade `vitest` to version 2.1.9, 3.0.4 or higher.	>=2.0.4 <2.1.9>=3.0.0 <3.0.4

Missing Origin Validation in WebSockets

vitest is a Next generation testing framework powered by Vite

Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets through the WebSocket server setup, due to missing checks of the Origin header and authorization mechanism. An attacker can execute arbitrary code by injecting malicious code into a test file using the saveTestFile API and subsequently executing the file via the rerun API.

How to fix Missing Origin Validation in WebSockets?

Upgrade vitest to version 1.6.1, 2.1.9, 3.0.5 or higher.

>=1.0.0 <1.6.1>=2.0.0 <2.1.9<3.0.5

Directory Traversal

vitest is a Next generation testing framework powered by Vite

Affected versions of this package are vulnerable to Directory Traversal through the __screenshot-error handler on the browser mode HTTP server. An attacker can access and retrieve the content of arbitrary files by sending a specially crafted request to the server.

Note: This is only exploitable if the server is explicitly exposed to the network with browser.api.host: true.

How to fix Directory Traversal?

Upgrade vitest to version 2.1.9, 3.0.4 or higher.

>=2.0.4 <2.1.9>=3.0.0 <3.0.4

Go back to all versions of this package