{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@vitest/browser/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@vitest/browser"],"_cs_severities":["critical"],"_cs_tags":["xss","rce","vitest","javascript","dependency-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Vitest"],"content_html":"\u003cp\u003eThe Vitest browser mode is susceptible to a reflected cross-site scripting (XSS) vulnerability. Specifically, the \u003ccode\u003eotelCarrier\u003c/code\u003e query parameter, when passed to the \u003ccode\u003e/__vitest_test__/\u003c/code\u003e endpoint, is directly inserted into an inline module script without proper sanitization. This allows an attacker to inject arbitrary JavaScript code that executes within the Vitest server\u0026rsquo;s origin. The generated page also contains \u003ccode\u003eVITEST_API_TOKEN\u003c/code\u003e, which is used for authenticating Vitest WebSocket APIs, leading to potential token compromise and authenticated API calls. This issue affects Vitest versions \u0026gt;= 4.0.17 and \u0026lt; 4.1.6, as well as \u0026gt;= 5.0.0-beta.0 and \u0026lt; 5.0.0-beta.3, impacting users running Vitest browser mode. A successful exploit requires a victim to open a crafted Vitest browser-runner URL while the Vitest browser server is active.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting the \u003ccode\u003e/__vitest_test__/\u003c/code\u003e endpoint, embedding JavaScript code within the \u003ccode\u003eotelCarrier\u003c/code\u003e query parameter.\u003c/li\u003e\n\u003cli\u003eThe victim opens the attacker-crafted URL in a web browser while the Vitest browser server is running.\u003c/li\u003e\n\u003cli\u003eThe Vitest server reflects the unsanitized \u003ccode\u003eotelCarrier\u003c/code\u003e parameter directly into an inline module script within the generated HTML page.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the victim\u0026rsquo;s browser, in the Vitest server origin.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s script accesses \u003ccode\u003ewindow.VITEST_API_TOKEN\u003c/code\u003e, compromising the Vitest WebSocket API token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised API token to authenticate with the Vitest WebSocket API endpoint at \u003ccode\u003e/__vitest_browser_api__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003etriggerCommand\u003c/code\u003e function via the WebSocket to write a malicious payload into the \u003ccode\u003evite.config.ts\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eVitest/Vite reloads the modified configuration file, resulting in the execution of the injected code within the Node.js environment, achieving remote code execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary JavaScript code within the Vitest server\u0026rsquo;s origin. In a default local browser-mode setup, this XSS can be leveraged to compromise the Vitest API token, leading to server-side code execution. A confirmed proof of concept demonstrates modifying \u003ccode\u003evite.config.ts\u003c/code\u003e to execute arbitrary code in Node. This issue poses a significant risk to developers and CI/CD environments using Vitest in browser mode.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a non-vulnerable version of \u003ccode\u003e@vitest/browser\u003c/code\u003e to address CVE-2026-47428.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Vitest otelCarrier Parameter Injection\u0026rdquo; to identify potential exploitation attempts by detecting suspicious characters in the \u003ccode\u003eotelCarrier\u003c/code\u003e query parameter within web server logs.\u003c/li\u003e\n\u003cli\u003eBlock access to the known malicious URLs (e.g., \u003ccode\u003ehttp://localhost:63315/__vitest_test__/?otelCarrier=(alert(%22xss%20via%20otelCarrier%22)%2Cnull)\u003c/code\u003e) listed in the IOC section at the network perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T14:14:49Z","date_published":"2026-06-01T14:14:49Z","id":"https://feed.craftedsignal.io/briefs/2026-06-vitest-xss/","summary":"Vitest browser mode is vulnerable to reflected cross-site scripting (XSS) due to the `otelCarrier` query parameter being inserted directly into an inline module script without sanitization, enabling an attacker to craft a browser-runner URL that executes arbitrary JavaScript in the Vitest server origin, potentially leading to remote code execution (RCE).","title":"Vitest Browser Mode XSS via otelCarrier Parameter Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-06-vitest-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — @Vitest/Browser","version":"https://jsonfeed.org/version/1.1"}