CVE-2026-53633 IBM QRadar · QRadar

Detect CVE-2026-53633: Vitest Browser Mode API RCE via CDP Proxy and Config Overwrite in IBM QRadar

CVE-2026-53633 is a critical (CVSS 9.8) remote code execution vulnerability in @vitest/browser and vite-plus packages. The browser mode API is exposed without adequate authorization controls (CWE-749, CWE-862), allowing unauthenticated attackers to proxy Chrome DevTools Protocol (CDP) commands and overwrite configuration files. This can lead to arbitrary code execution on the host running Vitest in browser mode. Affected versions include @vitest/browser >= 3.0.0 <= 3.2.4, >= 4.0.0 <= 4.1.7, >= 5.0.0-beta.0 <= 5.0.0-beta.3, and vite-plus <= 0.1.23. A public PoC exists.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Privilege Escalation

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  destinationip,
  destinationport,
  URL,
  starttime,
  CATEGORYNAME(category) AS category_name,
  eventcount
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Nginx', 'F5 BIG-IP', 'Palo Alto Networks Firewall')
  AND destinationport IN (51204, 51205, 5173, 5174, 4173)
  AND (
    URL IMATCHES '.*(__vitest_api__|__vitest__|/cdp|/json|/ws).*'
    OR URL IMATCHES '.*(Runtime\.evaluate|Page\.navigate|Target\.attachToTarget|IO\.read).*'
    OR URL IMATCHES '.*\.(env|config\.js|config\.ts|config\.mjs|config\.cjs).*'
  )
  AND NOT INCIDR(sourceip, '10.0.0.0/8')
  AND NOT INCIDR(sourceip, '172.16.0.0/12')
  AND NOT INCIDR(sourceip, '192.168.0.0/16')
  AND DATEFORMAT(starttime, 'YYYY-MM-dd') >= DATEFORMAT(NOW() - 86400000, 'YYYY-MM-dd')
ORDER BY starttime DESC
LIMIT 1000
critical severity medium confidence

QRadar AQL query detecting external source IPs accessing Vitest browser mode API paths and CDP endpoints on known Vitest ports, flagging potential CVE-2026-53633 exploitation from untrusted networks.

Data Sources

QRadar Network ActivityWeb Application Firewall logsProxy logs

Required Tables

events

False Positives & Tuning

  • Developers working remotely through VPN whose exit IP appears external to the detection rule
  • Penetration testing engagements targeting development environments
  • Automated dependency scanning tools that probe package-related ports

Other platforms for CVE-2026-53633

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Vitest Browser Mode CDP Discovery via /json Endpoint

    Expected signal: HTTP GET requests to /json and /__vitest_api__/ on ports 51204 or 5173 from an external source IP visible in web server or proxy logs

  2. Test 2CDP Runtime.evaluate Arbitrary JavaScript Execution via Vitest Browser API

    Expected signal: WebSocket upgrade request to /devtools/page/<id> followed by CDP Runtime.evaluate method in request payload visible in network capture

  3. Test 3Vitest Config File Overwrite via Exposed API

    Expected signal: HTTP POST to /__vitest_api__ with writeFile method in request body; filesystem audit log showing vitest.config.ts modification timestamp updated outside normal developer hours

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-53633 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.006PythonT1565.001Stored Data Manipulation

Same Tactic: Initial Access

Popular Detections