@Vitest/Browser — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/@vitest/browser/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 01 Jun 2026 14:14:49 +0000Vitest Browser Mode XSS via otelCarrier Parameter Leads to RCEhttps://feed.craftedsignal.io/briefs/2026-06-vitest-xss/Mon, 01 Jun 2026 14:14:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-vitest-xss/Vitest browser mode is vulnerable to reflected cross-site scripting (XSS) due to the `otelCarrier` query parameter being inserted directly into an inline module script without sanitization, enabling an attacker to craft a browser-runner URL that executes arbitrary JavaScript in the Vitest server origin, potentially leading to remote code execution (RCE).The Vitest browser mode is susceptible to a reflected cross-site scripting (XSS) vulnerability. Specifically, the otelCarrier query parameter, when passed to the /__vitest_test__/ endpoint, is directly inserted into an inline module script without proper sanitization. This allows an attacker to inject arbitrary JavaScript code that executes within the Vitest server’s origin. The generated page also contains VITEST_API_TOKEN, which is used for authenticating Vitest WebSocket APIs, leading to potential token compromise and authenticated API calls. This issue affects Vitest versions >= 4.0.17 and < 4.1.6, as well as >= 5.0.0-beta.0 and < 5.0.0-beta.3, impacting users running Vitest browser mode. A successful exploit requires a victim to open a crafted Vitest browser-runner URL while the Vitest browser server is active.

Attack Chain

  1. The attacker crafts a malicious URL targeting the /__vitest_test__/ endpoint, embedding JavaScript code within the otelCarrier query parameter.
  2. The victim opens the attacker-crafted URL in a web browser while the Vitest browser server is running.
  3. The Vitest server reflects the unsanitized otelCarrier parameter directly into an inline module script within the generated HTML page.
  4. The injected JavaScript executes within the victim’s browser, in the Vitest server origin.
  5. The attacker’s script accesses window.VITEST_API_TOKEN, compromising the Vitest WebSocket API token.
  6. The attacker uses the compromised API token to authenticate with the Vitest WebSocket API endpoint at /__vitest_browser_api__.
  7. The attacker calls the triggerCommand function via the WebSocket to write a malicious payload into the vite.config.ts file.
  8. Vitest/Vite reloads the modified configuration file, resulting in the execution of the injected code within the Node.js environment, achieving remote code execution (RCE).

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code within the Vitest server’s origin. In a default local browser-mode setup, this XSS can be leveraged to compromise the Vitest API token, leading to server-side code execution. A confirmed proof of concept demonstrates modifying vite.config.ts to execute arbitrary code in Node. This issue poses a significant risk to developers and CI/CD environments using Vitest in browser mode.

Recommendation

  • Apply the patch or upgrade to a non-vulnerable version of @vitest/browser to address CVE-2026-47428.
  • Deploy the Sigma rule “Detect Vitest otelCarrier Parameter Injection” to identify potential exploitation attempts by detecting suspicious characters in the otelCarrier query parameter within web server logs.
  • Block access to the known malicious URLs (e.g., http://localhost:63315/__vitest_test__/?otelCarrier=(alert(%22xss%20via%20otelCarrier%22)%2Cnull)) listed in the IOC section at the network perimeter.
]]>criticaladvisoryxssrcevitestjavascriptdependency-vulnerability