Detect CVE-2026-53633: Vitest Browser Mode API RCE via CDP Proxy and Config Overwrite in Splunk
CVE-2026-53633 is a critical (CVSS 9.8) remote code execution vulnerability in @vitest/browser and vite-plus packages. The browser mode API is exposed without adequate authorization controls (CWE-749, CWE-862), allowing unauthenticated attackers to proxy Chrome DevTools Protocol (CDP) commands and overwrite configuration files. This can lead to arbitrary code execution on the host running Vitest in browser mode. Affected versions include @vitest/browser >= 3.0.0 <= 3.2.4, >= 4.0.0 <= 4.1.7, >= 5.0.0-beta.0 <= 5.0.0-beta.3, and vite-plus <= 0.1.23. A public PoC exists.
MITRE ATT&CK
SPL Detection Query
index=network OR index=proxy OR index=webserver earliest=-24h
| eval vitest_ports=if(dest_port IN (51204, 51205, 5173, 5174, 4173) OR src_port IN (51204, 51205, 5173, 5174, 4173), 1, 0)
| where vitest_ports=1
| eval cdp_path=if(match(uri_path, "(__vitest_api__|__vitest__|/cdp|/json|/ws)"), 1, 0)
| eval cdp_command=if(match(uri_query, "(Runtime\.evaluate|Page\.navigate|Target\.attachToTarget|IO\.read|Target\.createTarget)"), 1, 0)
| eval config_write=if(match(uri_path, "(\.env|\.config\.(js|ts|mjs)|vitest\.config|vite\.config)"), 1, 0)
| eval src_external=if(NOT match(src_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), 1, 0)
| where cdp_path=1 OR cdp_command=1 OR config_write=1 OR src_external=1
| eval risk_score=case(
cdp_command=1 AND src_external=1, 90,
cdp_command=1, 75,
config_write=1, 80,
src_external=1 AND cdp_path=1, 70,
true(), 50
)
| stats count AS request_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(uri_path) AS paths, max(risk_score) AS max_risk by src_ip, dest_ip, dest_port
| where request_count >= 1 AND max_risk >= 70
| sort -max_riskDetects HTTP requests to Vitest browser mode API endpoints including CDP proxy paths and configuration file write attempts consistent with CVE-2026-53633 exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Internal CI/CD systems running Vitest integration tests across subnets
- Developers accessing Vitest UI from corporate proxy IP addresses that appear external
- Monitoring systems probing test server health endpoints on Vitest ports
Other platforms for CVE-2026-53633
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Vitest Browser Mode CDP Discovery via /json Endpoint
Expected signal: HTTP GET requests to /json and /__vitest_api__/ on ports 51204 or 5173 from an external source IP visible in web server or proxy logs
- Test 2CDP Runtime.evaluate Arbitrary JavaScript Execution via Vitest Browser API
Expected signal: WebSocket upgrade request to /devtools/page/<id> followed by CDP Runtime.evaluate method in request payload visible in network capture
- Test 3Vitest Config File Overwrite via Exposed API
Expected signal: HTTP POST to /__vitest_api__ with writeFile method in request body; filesystem audit log showing vitest.config.ts modification timestamp updated outside normal developer hours
Unlock Pro Content
Get the full detection package for CVE-2026-53633 including response playbook, investigation guide, and atomic red team tests.