CVE-2026-53633 - Vitest Browser Mode CDP API RCE
CVE-2026-53633 covers a critical Vitest Browser Mode flaw where the exposed
browser API still allowed raw Chrome DevTools Protocol access through cdp()
even when operators believed write and exec actions were disabled. A reachable
client could use CDP to set download paths, overwrite project files such as
vite.config.ts, and then get Node.js code execution when Vitest reloaded the
modified config.
This is primarily a development, CI, and remote-workspace risk. The dangerous shape is not “Vitest exists in package.json”; it is Browser Mode running with a CDP-capable provider and a network-reachable API server.
When to use it
Use this recipe when a repository uses Vitest Browser Mode with Playwright, Chrome DevTools Protocol, browser API endpoints, or remote/devcontainer/CI runners where a test server might be reachable beyond loopback. It is designed for source-code and config remediation, CDP privilege-boundary review, developer-tooling hardening, and evidence that browser automation APIs cannot be abused for file writes or command execution.
Inputs
@vitest/browserversion, Vitest version, lockfiles, browser provider config, Playwright/CDP settings, test scripts, devcontainer/CI commands, and generated dependency reports.- Source/config paths that enable Browser Mode, expose API hosts/ports, connect to CDP, set write/exec permissions, mount secrets, or run browser tests in shared infrastructure.
- Regression fixtures or safe checks for fixed versions, loopback-only API binding, disabled privileged APIs on exposed runners, and denied raw CDP access from untrusted callers.
- Boundary evidence: repository/package/cloud/model-provider credentials, mounted workspaces, forwarded ports, shared runner ownership, logs, and rollout owner.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
@vitest/browser |
>=3.0.0, <=3.2.4 |
3.2.5+ |
@vitest/browser |
>=4.0.0, <=4.1.7 |
4.1.8+ |
@vitest/browser |
>=5.0.0-beta.0, <=5.0.0-beta.3 |
5.0.0-beta.4+ |
vite-plus |
<=0.1.23 |
0.1.24+ |
Indicator-of-exposure
- The repository resolves affected
@vitest/browserorvite-plusversions. - Browser Mode runs with a CDP-capable provider such as Playwright Chromium.
browser.api.host,--browser.api.host, forwarded ports, tunnels, shared dev containers, or remote IDEs expose the Vitest browser API beyond loopback.- Teams rely on
allowWrite: falseorallowExec: falseas the main control for an exposed Browser Mode server.
Quick checks:
rg -n "@vitest/browser|vite-plus|browser:\\s*\\{|browser\\.api|allowWrite|allowExec|cdp\\(|0\\.0\\.0\\.0|--browser\\.api\\.host|playwright\\(" .
npm ls @vitest/browser vite-plus vitest
pnpm why @vitest/browser vite-plus vitest
yarn why @vitest/browser vite-plus vitest
Windows:
rg -n "@vitest/browser|vite-plus|browser:\\s*\\{|browser\\.api|allowWrite|allowExec|cdp\\(|0\\.0\\.0\\.0|--browser\\.api\\.host|playwright\\(" .
npm ls @vitest/browser vite-plus vitest
pnpm why @vitest/browser vite-plus vitest
yarn why @vitest/browser vite-plus vitest
Do not recover VITEST_API_TOKEN, call CDP methods, overwrite config files, or
exercise the live RCE path during triage.
Remediation strategy
- Upgrade
@vitest/browserto3.2.5+,4.1.8+, or5.0.0-beta.4+on the active major line and upgradevite-plusto0.1.24+where used. - Keep Browser Mode APIs loopback-only by default.
- Remove accidental network exposure from CI, remote workspaces, tunnel scripts, and docs.
- On any approved non-loopback runner, explicitly disable privileged browser APIs and document the exception owner.
- Keep secret-bearing CI, release, and publish jobs separate from interactive Browser Mode servers.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-53633 / GHSA-g8mr-85jm-7xhm, a critical Vitest
Browser Mode issue where exposed raw CDP access can bypass write and exec
restrictions and lead to host-side code execution. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades affected packages, hardens
Browser Mode exposure, adds safe regression checks, and documents operator
cleanup, or
- TRIAGE.md if this repository does not control an affected Browser Mode
runtime.
## Rules
- Scope only CVE-2026-53633 / GHSA-g8mr-85jm-7xhm and directly related Vitest
Browser Mode configuration.
- Treat Vitest API tokens, CI secrets, package tokens, cloud credentials,
repository tokens, config files, and generated test artifacts as sensitive.
- Do not use CDP calls, overwrite config files, or trigger proof-of-concept
execution.
- Do not remove browser-mode coverage just to silence the advisory.
- Do not auto-merge.
## Steps
1. Inventory every `@vitest/browser`, `vite-plus`, and `vitest` package,
lockfile, image, devcontainer, and CI job controlled by this repository.
2. Determine whether any resolved package is in the affected ranges.
3. Search for Browser Mode execution paths, providers, host bindings, port
forwarding, tunnels, and remote-dev defaults.
4. If no controlled affected runtime exists, stop with `TRIAGE.md`.
5. Upgrade to patched versions on the current release line and refresh
lockfiles, caches, SBOMs, and generated dependency reports.
6. Bind Browser Mode APIs to loopback by default and remove accidental
`0.0.0.0` or forwarded-port defaults.
7. Ensure any approved non-loopback Browser Mode server explicitly disables
privileged write and execute capabilities and has a named owner.
8. Add safe regression checks for:
- patched versions are resolved;
- Browser Mode does not bind externally by default;
- exposed Browser Mode configs require an explicit reviewed exception.
9. Add a PR body section named `CVE-2026-53633 operator actions` covering
versions before and after, where Browser Mode runs, whether any server was
externally reachable, and whether token rotation is needed.
10. Run relevant validation: package install, lockfile integrity, tests,
config linting, CI linting, and dependency/security scans.
11. Use PR title:
`fix(sec): remediate CVE-2026-53633 in Vitest browser mode`.
## Stop conditions
- No affected Browser Mode runtime is controlled by this repository.
- Validation would require live token recovery, CDP abuse, or file overwrite.
- Upgrading requires a broader framework migration outside repository scope.
Output contract
- A reviewer-ready PR or change request that upgrades
@vitest/browser, refreshes lockfiles/generated artifacts, restricts Browser Mode API exposure, hardens CDP access, and documents credential exposure review. - Or a
TRIAGE.mdfile that lists inspected package files/config, owner, observed version, Browser Mode/CDP exposure boundary, mounted files/secrets, required fix, and residual risk. - The output must include exact validation commands and must not connect to raw CDP endpoints, recover browser API tokens, execute commands, write project files, or probe live shared runners.
Verification - what the reviewer looks for
- No controlled install resolves the affected
@vitest/browserorvite-plusversions. - Browser Mode APIs are loopback-only by default.
- Any reviewed exception is explicit, owned, and non-secret-bearing.
Watch for
- Updating
package.jsonwithout updating lockfiles, CI images, or remote-dev templates. - Fixing
vitestbut leaving@vitest/browserpinned in another workspace. - Trusting
allowWriteorallowExecdefaults while the service remains externally reachable.
Related recipes
- Source code secrets and data exposure audit
- Source code supply chain build integrity audit
- Source code attack surface map
- SAST finding triage and fix
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-g8mr-85jm-7xhm
- Vitest vendor advisory: https://github.com/vitest-dev/vitest/security/advisories/GHSA-g8mr-85jm-7xhm
- Vitest browser API docs: https://main.vitest.dev/config/browser/api
- Vitest releases: https://github.com/vitest-dev/vitest/releases