PatchSiren cyber security CVE debrief
CVE-2026-53633 vitest-dev CVE debrief
CVE-2026-53633 is a critical vulnerability in Vitest Browser Mode, allowing remote code execution via the Chrome DevTools Protocol. Versions 3.0.0 to 3.2.5, 4.1.8, and 5.0.0-beta.4 are affected. The issue is fixed in versions 3.2.5, 4.1.8, and 5.0.0-beta. The vulnerability has a CVSS score of 9.8 and is classified as CRITICAL. The vulnerability exists in the Vitest Browser Mode's cdp() API, which exposes raw Chrome DevTools Protocol methods without proper gating. This allows a remote client with exposed browser API metadata to use CDP Page.setDownloadBehavior and Runtime.evaluate to overwrite vite.config.ts and execute attacker-controlled Node.js code. Developers and administrators should be aware of this critical vulnerability and take immediate action to upgrade to a patched version.
- Vendor
- vitest-dev
- Product
- vitest
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-16
Who should care
Developers and administrators using Vitest Browser Mode versions 3.0.0 to 3.2.5, 4.1.8, and 5.0.0-beta.4 should be aware of this critical vulnerability and take immediate action to upgrade to a patched version. Operators, platform administrators, and security teams responsible for managing and securing Vitest Browser Mode deployments should prioritize patching and review their current configurations for potential exposure.
Technical summary
The vulnerability exists in the Vitest Browser Mode's cdp() API, which exposes raw Chrome DevTools Protocol methods without proper gating. This allows a remote client with exposed browser API metadata to use CDP Page.setDownloadBehavior and Runtime.evaluate to overwrite vite.config.ts and execute attacker-controlled Node.js code. The affected versions are 3.0.0 to 3.2.5, 4.1.8, and 5.0.0-beta.4, and the issue is fixed in versions 3.2.5, 4.1.8, and 5.0.0-beta.5 or later. The vulnerability has a CVSS score of 9.8 and is classified as CRITICAL.
Defensive priority
High
Recommended defensive actions
- Upgrade to a patched version of Vitest Browser Mode (3.2.5, 4.1.8, or 5.0.0-beta.5 or later)
- Review and restrict access to the Vitest Browser Mode API
- Monitor for suspicious activity and implement additional security measures
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-14T20:17:42.173Z and last modified on 2026-07-16T05:16:24.673Z. The NVD entry is currently awaiting analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record has not been modified since its initial publication.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T20:17:42.173Z and has not been modified since then.