What is CVE-2025-24964?

CVE-2025-24964 is a critical-severity vulnerability in Vitest-dev Vitest, classified under CWE-1385. CVSS score: 9.7/10. Published 2025-02-04.

How severe is CVE-2025-24964?

Critical severity. CVSS v3 base score is 9.7 out of 10.

Vulnerability in Vitest-dev Vitest

CVE-2025-24964

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When…

EPSS: 0.019 (83.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.7 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Affected products

Vitest-dev Vitest — versions <= 0.0.125, >= 1.0.0, < 1.6.1, >= 2.0.0, < 2.1.9

Weakness classification (CWE)

CWE-1385

References

https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq (x_refsource_CONFIRM)
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46 (x_refsource_MISC)
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76 (x_refsource_MISC)
https://vitest.dev/config/#api (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-24964?: CVE-2025-24964 is a critical-severity vulnerability in Vitest-dev Vitest, classified under CWE-1385. CVSS score: 9.7/10. Published 2025-02-04.
How severe is CVE-2025-24964?: Critical severity. CVSS v3 base score is 9.7 out of 10.