How severe is CVE-2025-24964?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2025-24964?

This is classified as CWE-1385, which is a common weakness in software security.

CVE-2025-24964 - CRITICAL Severity | CVSS 9.6

Vulnerability Description

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2023-0957

CRITICAL

CVSS:9.6(Critical)

An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Git...

CWE-13852023

CVE-2024-48849

HIGH

CVSS:9.4(Critical)

Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through <= 9.3.4.

CWE-13852024

CVE-2014-125071

CRITICAL

CVSS:9.8(Critical)

A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulatio...

CWE-13852014

CVE-2024-23168

CRITICAL

CVSS:9.8(Critical)

Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.

CWE-13852024

CVE-2023-26114

CRITICAL

CVSS:9.3(Critical)

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to ac...

CWE-13852023

CVE-2023-2848

HIGH

CVSS:8.8(High)

Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation.

CWE-13852023