SCA: security update for vitest (GHSA-9crc-q9x8-hgqq)

high Tenable Self-Hosted Container Security Plugin ID 420818

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code
Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket
hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket
server. This WebSocket server did not check Origin header and did not have any authorization mechanism and
was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file
and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a
test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This
vulnerability can result in remote code execution for users that are using Vitest serve API. This issue
has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known
workarounds for this vulnerability. (CVE-2025-24964)

See Also

https://github.com/advisories/GHSA-9crc-q9x8-hgqq

Plugin Details

Severity: High

ID: 420818

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 2/4/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-24964

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/4/2025

Vulnerability Publication Date: 2/4/2025

Reference Information

CVE: CVE-2025-24964