@vitest/browser

npm3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @vitest/browserpage 1 of 1

CVE-2025-24963MEDIUMCVSS 5.9EG 5.9✓ Fixed in 3.0.4
2025-02-04
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an a…
CVE-2026-47428CRITICALCVSS 9.6EG 9.6✓ Fixed in 5.0.0-beta.3
2026-06-01
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script ## Summary Vitest browser mode served `/__vitest_test__/` with the `otelCarrier` query parameter inserted directly into an inline module script. Because …
CVE-2026-53633CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.2.5
2026-06-15
Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE ## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSo…

Check whether @vitest/browser is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @vitest/browser CVEs against the assets you own.

Start Free Scan →