CVE-2026-53633 - Vitest Browser Mode CDP API RCE

CVE-2026-53633 covers a critical Vitest Browser Mode flaw where the exposed browser API still allowed raw Chrome DevTools Protocol access through cdp() even when operators believed write and exec actions were disabled. A reachable client could use CDP to set download paths, overwrite project files such as vite.config.ts, and then get Node.js code execution when Vitest reloaded the modified config.

This is primarily a development, CI, and remote-workspace risk. The dangerous shape is not “Vitest exists in package.json”; it is Browser Mode running with a CDP-capable provider and a network-reachable API server.

When to use it

Use this recipe when a repository uses Vitest Browser Mode with Playwright, Chrome DevTools Protocol, browser API endpoints, or remote/devcontainer/CI runners where a test server might be reachable beyond loopback. It is designed for source-code and config remediation, CDP privilege-boundary review, developer-tooling hardening, and evidence that browser automation APIs cannot be abused for file writes or command execution.

Inputs

  • @vitest/browser version, Vitest version, lockfiles, browser provider config, Playwright/CDP settings, test scripts, devcontainer/CI commands, and generated dependency reports.
  • Source/config paths that enable Browser Mode, expose API hosts/ports, connect to CDP, set write/exec permissions, mount secrets, or run browser tests in shared infrastructure.
  • Regression fixtures or safe checks for fixed versions, loopback-only API binding, disabled privileged APIs on exposed runners, and denied raw CDP access from untrusted callers.
  • Boundary evidence: repository/package/cloud/model-provider credentials, mounted workspaces, forwarded ports, shared runner ownership, logs, and rollout owner.

Affected versions

Package Vulnerable versions Fixed versions
@vitest/browser >=3.0.0, <=3.2.4 3.2.5+
@vitest/browser >=4.0.0, <=4.1.7 4.1.8+
@vitest/browser >=5.0.0-beta.0, <=5.0.0-beta.3 5.0.0-beta.4+
vite-plus <=0.1.23 0.1.24+

Indicator-of-exposure

  • The repository resolves affected @vitest/browser or vite-plus versions.
  • Browser Mode runs with a CDP-capable provider such as Playwright Chromium.
  • browser.api.host, --browser.api.host, forwarded ports, tunnels, shared dev containers, or remote IDEs expose the Vitest browser API beyond loopback.
  • Teams rely on allowWrite: false or allowExec: false as the main control for an exposed Browser Mode server.

Quick checks:

rg -n "@vitest/browser|vite-plus|browser:\\s*\\{|browser\\.api|allowWrite|allowExec|cdp\\(|0\\.0\\.0\\.0|--browser\\.api\\.host|playwright\\(" .
npm ls @vitest/browser vite-plus vitest
pnpm why @vitest/browser vite-plus vitest
yarn why @vitest/browser vite-plus vitest

Windows:

rg -n "@vitest/browser|vite-plus|browser:\\s*\\{|browser\\.api|allowWrite|allowExec|cdp\\(|0\\.0\\.0\\.0|--browser\\.api\\.host|playwright\\(" .
npm ls @vitest/browser vite-plus vitest
pnpm why @vitest/browser vite-plus vitest
yarn why @vitest/browser vite-plus vitest

Do not recover VITEST_API_TOKEN, call CDP methods, overwrite config files, or exercise the live RCE path during triage.

Remediation strategy

  • Upgrade @vitest/browser to 3.2.5+, 4.1.8+, or 5.0.0-beta.4+ on the active major line and upgrade vite-plus to 0.1.24+ where used.
  • Keep Browser Mode APIs loopback-only by default.
  • Remove accidental network exposure from CI, remote workspaces, tunnel scripts, and docs.
  • On any approved non-loopback runner, explicitly disable privileged browser APIs and document the exception owner.
  • Keep secret-bearing CI, release, and publish jobs separate from interactive Browser Mode servers.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-53633 / GHSA-g8mr-85jm-7xhm, a critical Vitest
Browser Mode issue where exposed raw CDP access can bypass write and exec
restrictions and lead to host-side code execution. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades affected packages, hardens
  Browser Mode exposure, adds safe regression checks, and documents operator
  cleanup, or
- TRIAGE.md if this repository does not control an affected Browser Mode
  runtime.

## Rules

- Scope only CVE-2026-53633 / GHSA-g8mr-85jm-7xhm and directly related Vitest
  Browser Mode configuration.
- Treat Vitest API tokens, CI secrets, package tokens, cloud credentials,
  repository tokens, config files, and generated test artifacts as sensitive.
- Do not use CDP calls, overwrite config files, or trigger proof-of-concept
  execution.
- Do not remove browser-mode coverage just to silence the advisory.
- Do not auto-merge.

## Steps

1. Inventory every `@vitest/browser`, `vite-plus`, and `vitest` package,
   lockfile, image, devcontainer, and CI job controlled by this repository.
2. Determine whether any resolved package is in the affected ranges.
3. Search for Browser Mode execution paths, providers, host bindings, port
   forwarding, tunnels, and remote-dev defaults.
4. If no controlled affected runtime exists, stop with `TRIAGE.md`.
5. Upgrade to patched versions on the current release line and refresh
   lockfiles, caches, SBOMs, and generated dependency reports.
6. Bind Browser Mode APIs to loopback by default and remove accidental
   `0.0.0.0` or forwarded-port defaults.
7. Ensure any approved non-loopback Browser Mode server explicitly disables
   privileged write and execute capabilities and has a named owner.
8. Add safe regression checks for:
   - patched versions are resolved;
   - Browser Mode does not bind externally by default;
   - exposed Browser Mode configs require an explicit reviewed exception.
9. Add a PR body section named `CVE-2026-53633 operator actions` covering
   versions before and after, where Browser Mode runs, whether any server was
   externally reachable, and whether token rotation is needed.
10. Run relevant validation: package install, lockfile integrity, tests,
    config linting, CI linting, and dependency/security scans.
11. Use PR title:
    `fix(sec): remediate CVE-2026-53633 in Vitest browser mode`.

## Stop conditions

- No affected Browser Mode runtime is controlled by this repository.
- Validation would require live token recovery, CDP abuse, or file overwrite.
- Upgrading requires a broader framework migration outside repository scope.

Output contract

  • A reviewer-ready PR or change request that upgrades @vitest/browser, refreshes lockfiles/generated artifacts, restricts Browser Mode API exposure, hardens CDP access, and documents credential exposure review.
  • Or a TRIAGE.md file that lists inspected package files/config, owner, observed version, Browser Mode/CDP exposure boundary, mounted files/secrets, required fix, and residual risk.
  • The output must include exact validation commands and must not connect to raw CDP endpoints, recover browser API tokens, execute commands, write project files, or probe live shared runners.

Verification - what the reviewer looks for

  • No controlled install resolves the affected @vitest/browser or vite-plus versions.
  • Browser Mode APIs are loopback-only by default.
  • Any reviewed exception is explicit, owned, and non-secret-bearing.

Watch for

  • Updating package.json without updating lockfiles, CI images, or remote-dev templates.
  • Fixing vitest but leaving @vitest/browser pinned in another workspace.
  • Trusting allowWrite or allowExec defaults while the service remains externally reachable.

References