CVE-2026-53633: Vitest Browser Mode API RCE via CDP Proxy and Config Overwrite
CVE-2026-53633 is a critical (CVSS 9.8) remote code execution vulnerability in @vitest/browser and vite-plus packages. The browser mode API is exposed without adequate authorization controls (CWE-749, CWE-862), allowing unauthenticated attackers to proxy Chrome DevTools Protocol (CDP) commands and overwrite configuration files. This can lead to arbitrary code execution on the host running Vitest in browser mode. Affected versions include @vitest/browser >= 3.0.0 <= 3.2.4, >= 4.0.0 <= 4.1.7, >= 5.0.0-beta.0 <= 5.0.0-beta.3, and vite-plus <= 0.1.23. A public PoC exists.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- npm
- Product
- @vitest/browser, vite-plus
- Versions
- >= 5.0.0-beta.0, <= 5.0.0-beta.3, >= 4.0.0, <= 4.1.7, >= 3.0.0, <= 3.2.4, <= 0.1.23
Timeline
- Disclosed
- June 15, 2026
What is CVE-2026-53633 CVE-2026-53633: Vitest Browser Mode API RCE via CDP Proxy and Config Overwrite?
CVE-2026-53633: Vitest Browser Mode API RCE via CDP Proxy and Config Overwrite (CVE-2026-53633) maps to the Initial Access and Execution and Persistence and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-53633: Vitest Browser Mode API RCE via CDP Proxy and Config Overwrite, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Network Security Groups, Microsoft Sentinel Network Logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let VitestPorts = dynamic([51204, 51205, 5173, 5174, 4173]);
let SuspiciousCDPPaths = dynamic(["/json", "/__vitest_api__", "/__vitest__", "/cdp", "/ws"]);
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated >= ago(24h)
| where (DeviceAction !in ("blocked", "deny") or isempty(DeviceAction))
| where (
(RemotePort in (VitestPorts)) or
(DestinationPort in (VitestPorts))
)
| extend RequestPath = tostring(parse_url(RequestURL)["Path"])
| where RequestPath has_any (SuspiciousCDPPaths) or RequestURL has_any (SuspiciousCDPPaths)
| extend IsExternal = ipv4_is_private(RemoteIP) == false or ipv4_is_private(SourceIP) == false
| extend SuspiciousCDPCommand = RequestURL has_any ("Runtime.evaluate", "Page.navigate", "Target.attachToTarget", "IO.read")
| where IsExternal or SuspiciousCDPCommand
| project TimeGenerated, DeviceName, RemoteIP, DestinationIP, RemotePort, DestinationPort, RequestURL, RequestPath, IsExternal, SuspiciousCDPCommand
| summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Paths=make_set(RequestPath, 20) by DeviceName, RemoteIP, DestinationIP
| where Count >= 1
| extend RiskScore = iif(SuspiciousCDPCommand == true or IsExternal == true, "High", "Medium")Detects network connections to Vitest browser mode default ports from external IPs or containing suspicious Chrome DevTools Protocol (CDP) API paths indicative of CVE-2026-53633 exploitation attempts.
Data Sources
Required Tables
False Positives
- Legitimate internal developer machines running Vitest in browser mode for local testing
- CI/CD pipelines that run Vitest browser mode tests on internal networks with multiple test runners
- Security research environments deliberately exposing Vitest APIs for testing
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-53633: Vitest Browser Mode API RCE via CDP Proxy and Config Overwrite (CVE-2026-53633) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-53633
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Vitest Browser Mode CDP Discovery via /json Endpoint
Expected signal: HTTP GET requests to /json and /__vitest_api__/ on ports 51204 or 5173 from an external source IP visible in web server or proxy logs
- Test 2CDP Runtime.evaluate Arbitrary JavaScript Execution via Vitest Browser API
Expected signal: WebSocket upgrade request to /devtools/page/<id> followed by CDP Runtime.evaluate method in request payload visible in network capture
- Test 3Vitest Config File Overwrite via Exposed API
Expected signal: HTTP POST to /__vitest_api__ with writeFile method in request body; filesystem audit log showing vitest.config.ts modification timestamp updated outside normal developer hours
Unlock Pro Content
Get the full detection package for CVE-2026-53633 including response playbook, investigation guide, and atomic red team tests.