CVE-2026-53633 (GCVE-0-2026-53633)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:35 – Updated: 2026-07-14 19:35
VLAI
EPSS
VEX
Title
Vitest: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
Summary
Vitest is a testing framework powered by Vite. From 3.0.0 until 3.2.5, 4.1.8, and 5.0.0-beta.4, Vitest Browser Mode exposed a cdp() API that forwarded raw Chrome DevTools Protocol methods without being gated by allowWrite or allowExec, allowing a remote client with exposed browser API metadata to use CDP Page.setDownloadBehavior and Runtime.evaluate to overwrite vite.config.ts and execute attacker-controlled Node.js code. This issue is fixed in versions 3.2.5, 4.1.8, and 5.0.0-beta.
Severity
9.8 (Critical)
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://github.com/vitest-dev/vitest/security/adv… | x_refsource_CONFIRM |
| https://github.com/vitest-dev/vitest/pull/10444 | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/pull/10450 | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/pull/10456 | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/commit/385a1… | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/commit/63e3b… | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/commit/e4067… | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/releases/tag… | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/releases/tag… | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| vitest-dev | vitest |
Affected:
>= 3.0.0, < 3.2.5
Affected: >= 4.0.0, < 4.1.8 Affected: >= 5.0.0-beta.0, < 5.0.0-beta.4 |
{
"containers": {
"cna": {
"affected": [
{
"product": "vitest",
"vendor": "vitest-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.2.5"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.1.8"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-beta.0, \u003c 5.0.0-beta.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vitest is a testing framework powered by Vite. From 3.0.0 until 3.2.5, 4.1.8, and 5.0.0-beta.4, Vitest Browser Mode exposed a cdp() API that forwarded raw Chrome DevTools Protocol methods without being gated by allowWrite or allowExec, allowing a remote client with exposed browser API metadata to use CDP Page.setDownloadBehavior and Runtime.evaluate to overwrite vite.config.ts and execute attacker-controlled Node.js code. This issue is fixed in versions 3.2.5, 4.1.8, and 5.0.0-beta."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:35:42.739Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-g8mr-85jm-7xhm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-g8mr-85jm-7xhm"
},
{
"name": "https://github.com/vitest-dev/vitest/pull/10444",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/pull/10444"
},
{
"name": "https://github.com/vitest-dev/vitest/pull/10450",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/pull/10450"
},
{
"name": "https://github.com/vitest-dev/vitest/pull/10456",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/pull/10456"
},
{
"name": "https://github.com/vitest-dev/vitest/commit/385a1aefd4c2bfa5e7d58bf7c6834c929969f2c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/commit/385a1aefd4c2bfa5e7d58bf7c6834c929969f2c7"
},
{
"name": "https://github.com/vitest-dev/vitest/commit/63e3b2eee4d58da56786a6333f517b9b492528c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/commit/63e3b2eee4d58da56786a6333f517b9b492528c7"
},
{
"name": "https://github.com/vitest-dev/vitest/commit/e4067b3b150005fd42cf75f994300119245806b9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/commit/e4067b3b150005fd42cf75f994300119245806b9"
},
{
"name": "https://github.com/vitest-dev/vitest/releases/tag/v3.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/releases/tag/v3.2.5"
},
{
"name": "https://github.com/vitest-dev/vitest/releases/tag/v4.1.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/releases/tag/v4.1.8"
},
{
"name": "https://github.com/vitest-dev/vitest/releases/tag/v5.0.0-beta.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/releases/tag/v5.0.0-beta.4"
}
],
"source": {
"advisory": "GHSA-g8mr-85jm-7xhm",
"discovery": "UNKNOWN"
},
"title": "Vitest: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53633",
"datePublished": "2026-07-14T19:35:42.739Z",
"dateReserved": "2026-06-09T20:16:59.647Z",
"dateUpdated": "2026-07-14T19:35:42.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-53633",
"date": "2026-07-15",
"epss": "0.00585",
"percentile": "0.44009"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-53633\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-07-14T20:17:42.173\",\"lastModified\":\"2026-07-14T20:17:42.173\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vitest is a testing framework powered by Vite. From 3.0.0 until 3.2.5, 4.1.8, and 5.0.0-beta.4, Vitest Browser Mode exposed a cdp() API that forwarded raw Chrome DevTools Protocol methods without being gated by allowWrite or allowExec, allowing a remote client with exposed browser API metadata to use CDP Page.setDownloadBehavior and Runtime.evaluate to overwrite vite.config.ts and execute attacker-controlled Node.js code. This issue is fixed in versions 3.2.5, 4.1.8, and 5.0.0-beta.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"vitest-dev\",\"product\":\"vitest\",\"versions\":[{\"version\":\"\u003e= 3.0.0, \u003c 3.2.5\",\"status\":\"affected\"},{\"version\":\"\u003e= 4.0.0, \u003c 4.1.8\",\"status\":\"affected\"},{\"version\":\"\u003e= 5.0.0-beta.0, \u003c 5.0.0-beta.4\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-749\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://github.com/vitest-dev/vitest/commit/385a1aefd4c2bfa5e7d58bf7c6834c929969f2c7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/commit/63e3b2eee4d58da56786a6333f517b9b492528c7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/commit/e4067b3b150005fd42cf75f994300119245806b9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/pull/10444\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/pull/10450\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/pull/10456\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/releases/tag/v3.2.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/releases/tag/v4.1.8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/releases/tag/v5.0.0-beta.4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitest-dev/vitest/security/advisories/GHSA-g8mr-85jm-7xhm\",\"source\":\"security-advisories@github.com\"}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-07-15T12:35:56+00:00",
"cve": "CVE-2026-53633",
"id": "CVE-2026-53633",
"initial_release_date": "2026-07-14T19:35:42.739000+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "@vitest/browser: vite-plus: Vitest: Remote code execution via exposed Chrome DevTools Protocol API",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53633.json",
"version": "3"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…