CVE-2026-53633 Elastic Security · Elastic

Detect CVE-2026-53633: Vitest Browser Mode API RCE via CDP Proxy and Config Overwrite in Elastic Security

CVE-2026-53633 is a critical (CVSS 9.8) remote code execution vulnerability in @vitest/browser and vite-plus packages. The browser mode API is exposed without adequate authorization controls (CWE-749, CWE-862), allowing unauthenticated attackers to proxy Chrome DevTools Protocol (CDP) commands and overwrite configuration files. This can lead to arbitrary code execution on the host running Vitest in browser mode. Affected versions include @vitest/browser >= 3.0.0 <= 3.2.4, >= 4.0.0 <= 4.1.7, >= 5.0.0-beta.0 <= 5.0.0-beta.3, and vite-plus <= 0.1.23. A public PoC exists.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Privilege Escalation

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where destination.port in (51204, 51205, 5173, 5174, 4173)
   and url.path like~ "*__vitest*" or url.path like~ "*/cdp*" or url.path like~ "*/json"]
  [network where destination.port in (51204, 51205, 5173, 5174, 4173)
   and (url.query like~ "*Runtime.evaluate*"
     or url.query like~ "*Page.navigate*"
     or url.query like~ "*Target.attachToTarget*"
     or url.path like~ "*.config*"
     or url.path like~ "*.env*")]
critical severity high confidence

EQL sequence detection identifying initial Vitest browser mode API discovery followed by CDP command injection or config file access, characteristic of CVE-2026-53633 multi-step exploitation.

Data Sources

Elastic Network Packet CaptureElastic Agent network events

Required Tables

logs-network.*logs-endpoint.events.network-*

False Positives & Tuning

  • Automated test frameworks making sequential API calls to Vitest during legitimate test runs
  • Browser developer tools connecting to Vitest WebSocket endpoints during debugging
  • Integration test suites that enumerate Vitest API capabilities before test execution

Other platforms for CVE-2026-53633

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Vitest Browser Mode CDP Discovery via /json Endpoint

    Expected signal: HTTP GET requests to /json and /__vitest_api__/ on ports 51204 or 5173 from an external source IP visible in web server or proxy logs

  2. Test 2CDP Runtime.evaluate Arbitrary JavaScript Execution via Vitest Browser API

    Expected signal: WebSocket upgrade request to /devtools/page/<id> followed by CDP Runtime.evaluate method in request payload visible in network capture

  3. Test 3Vitest Config File Overwrite via Exposed API

    Expected signal: HTTP POST to /__vitest_api__ with writeFile method in request body; filesystem audit log showing vitest.config.ts modification timestamp updated outside normal developer hours

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-53633 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.006PythonT1565.001Stored Data Manipulation

Same Tactic: Initial Access

Popular Detections