# [CRIT] [GHSA / CRITICAL] CVE-2026-53633: Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE **Source:** GitHub Security Advisories **Published:** 2026-06-15 **Article:** https://github.com/advisories/GHSA-g8mr-85jm-7xhm ## Threat Profile Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE ## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSocket RPC. CDP is not gated by `browser.api.allowWrite`, `browser.api.allowExec`, `api.allowWrite`, or `api.allowExec`. As a result, disabling Browser Mode write and exec operations does not prevent a browser API client from using CDP to perform equivalent acti… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-53633` ## MITRE ATT&CK Techniques - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1562.001** — Impair Defenses: Disable or Modify Tools - **T1546** — Event Triggered Execution - **T1059.007** — Command and Scripting Interpreter: JavaScript - **T1059** — Command and Scripting Interpreter ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Vitest Browser API listening on all interfaces (CVE-2026-53633 pre-condition) `UC_54_3` · phase: **weapon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="node.exe" Processes.process="*vitest*" Processes.process="*browser.api.host*" Processes.process="*0.0.0.0*" by Processes.dest Processes.user Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "node.exe" or InitiatingProcessFileName =~ "node.exe" | where ProcessCommandLine has_any ("vitest","@vitest/browser","vite-plus") | where ProcessCommandLine has "browser.api.host" and ProcessCommandLine has "0.0.0.0" | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath | order by Timestamp desc ``` ### Inbound non-loopback connection to Vitest browser API listener (TCP/63315) `UC_54_4` · phase: **delivery** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.src) as src_ips from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port=63315 All_Traffic.transport=tcp by All_Traffic.dest All_Traffic.app | `drop_dm_object_name(All_Traffic)` | iplocation src_ips | where NOT cidrmatch("127.0.0.0/8", src_ips) AND NOT cidrmatch("::1/128", src_ips) ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType in ("InboundConnectionAccepted","ListeningConnectionCreated","ConnectionAccepted") | where LocalPort == 63315 | where InitiatingProcessFileName =~ "node.exe" | where InitiatingProcessCommandLine has_any ("vitest","@vitest/browser","vite-plus") | where RemoteIPType != "Loopback" and RemoteIP !startswith "169.254" | project Timestamp, DeviceName, LocalIP, LocalPort, RemoteIP, RemoteIPType, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Timestamp desc ``` ### Vitest false-sense-of-security config: allowWrite/allowExec false but CDP bridge exposed `UC_54_5` · phase: **weapon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="node.exe" Processes.process="*vitest*" Processes.process="*allowWrite*" Processes.process="*allowExec*" by Processes.dest Processes.user Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | regex process="(?i)allowWrite\s*[:=]\s*false" | regex process="(?i)allowExec\s*[:=]\s*false" | regex process="(?i)(browser\.api\.host|--host)[\s=]+(0\.0\.0\.0|::|[^\s]+)" ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "node.exe" or InitiatingProcessFileName =~ "node.exe" | where ProcessCommandLine has_any ("vitest","@vitest/browser","vite-plus") | where ProcessCommandLine matches regex @"(?i)allowWrite\s*[:=]\s*false" | where ProcessCommandLine matches regex @"(?i)allowExec\s*[:=]\s*false" | where ProcessCommandLine has "browser.api.host" and ProcessCommandLine has_any ("0.0.0.0","::") | where not(ProcessCommandLine matches regex @"(?i)allowCDP\s*[:=]\s*false") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath | order by Timestamp desc ``` ### vite/vitest config file modified by browser-context process (CVE-2026-53633 payload drop) `UC_54_6` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified","renamed") (Filesystem.file_name="vite.config.ts" OR Filesystem.file_name="vite.config.js" OR Filesystem.file_name="vite.config.mjs" OR Filesystem.file_name="vite.config.cjs" OR Filesystem.file_name="vitest.config.ts" OR Filesystem.file_name="vitest.config.js" OR Filesystem.file_name="vitest.config.mjs" OR Filesystem.file_name="vitest.config.cjs") (Filesystem.process_name="chrome.exe" OR Filesystem.process_name="chromium.exe" OR Filesystem.process_name="msedge.exe" OR Filesystem.process_name="msedgewebview2.exe" OR Filesystem.process_name="firefox.exe" OR Filesystem.process_name="brave.exe" OR Filesystem.process_name="headless_shell.exe" OR Filesystem.process_name="playwright.exe") by Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FileName matches regex @"(?i)^(vite|vitest)\.config\.(ts|js|mjs|cjs)$" | where InitiatingProcessFileName has_any ("chrome.exe","chromium.exe","msedge.exe","msedgewebview2.exe","firefox.exe","brave.exe","headless_shell.exe","playwright.exe","opera.exe") | project Timestamp, DeviceName, FileName, FolderPath, PreviousFileName, PreviousFolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, FileOriginUrl | order by Timestamp desc ``` ### WebSocket access to Vitest browser API tester endpoint (CVE-2026-53633 exploit signature) `UC_54_7` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count values(Web.user) as users values(Web.src) as src_ip values(Web.dest) as dest_ip from datamodel=Web where (Web.url="*__vitest_browser_api__*" OR Web.url="*__vitest_test__*") by Web.src Web.dest Web.url Web.http_user_agent _time | `drop_dm_object_name(Web)` | search url="*type=tester*" OR url="*sendCdpEvent*" OR url="*__vitest_test__*" ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where isnotempty(RemoteUrl) | where RemoteUrl has_any ("__vitest_browser_api__","__vitest_test__") or (RemotePort == 63315 and RemoteUrl has "type=tester") | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessAccountName | order by Timestamp desc ``` ### Config-reload RCE: node.exe spawns shell/LOLBin within 30s of vite/vitest config write `UC_54_8` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` min(_time) as fileTime values(Filesystem.process_name) as writer from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") (Filesystem.file_name="vite.config.ts" OR Filesystem.file_name="vite.config.js" OR Filesystem.file_name="vite.config.mjs" OR Filesystem.file_name="vite.config.cjs" OR Filesystem.file_name="vitest.config.ts" OR Filesystem.file_name="vitest.config.js" OR Filesystem.file_name="vitest.config.mjs") by Filesystem.dest Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | join type=inner dest [ | tstats `summariesonly` min(_time) as procTime values(Processes.process) as childCmd from datamodel=Endpoint.Processes where Processes.parent_process_name="node.exe" (Processes.process_name="cmd.exe" OR Processes.process_name="powershell.exe" OR Processes.process_name="pwsh.exe" OR Processes.process_name="wscript.exe" OR Processes.process_name="cscript.exe" OR Processes.process_name="mshta.exe" OR Processes.process_name="bash.exe" OR Processes.process_name="sh.exe" OR Processes.process_name="wmic.exe" OR Processes.process_name="curl.exe" OR Processes.process_name="wget.exe" OR Processes.process_name="bitsadmin.exe" OR Processes.process_name="certutil.exe" OR Processes.process_name="rundll32.exe" OR Processes.process_name="regsvr32.exe") by Processes.dest Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` ] | where procTime >= fileTime AND procTime <= fileTime + 30 | eval delaySec = procTime - fileTime | table fileTime procTime delaySec dest file_name file_path writer process_name childCmd ``` **Defender KQL:** ```kql let WindowSeconds = 30; let ConfigWrites = DeviceFileEvents | where Timestamp > ago(7d) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FileName matches regex @"(?i)^(vite|vitest)\.config\.(ts|js|mjs|cjs)$" | project ConfigWriteTime = Timestamp, DeviceId, DeviceName, ConfigPath = FolderPath, ConfigFile = FileName, ConfigWriter = InitiatingProcessFileName, WriterCmd = InitiatingProcessCommandLine; ConfigWrites | join kind=inner ( DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "node.exe" | where InitiatingProcessCommandLine has_any ("vitest","@vitest/browser","vite") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","bash.exe","sh.exe","wmic.exe","curl.exe","wget.exe","bitsadmin.exe","certutil.exe","rundll32.exe","regsvr32.exe","net.exe","netsh.exe") | project ChildSpawnTime = Timestamp, DeviceId, ChildProcess = FileName, ChildCmd = ProcessCommandLine, NodeCmd = InitiatingProcessCommandLine, NodeFolderPath = InitiatingProcessFolderPath, AccountName ) on DeviceId | where ChildSpawnTime between (ConfigWriteTime .. ConfigWriteTime + WindowSeconds * 1s) | extend DelaySec = datetime_diff('second', ChildSpawnTime, ConfigWriteTime) | project ConfigWriteTime, ChildSpawnTime, DelaySec, DeviceName, AccountName, ConfigPath, ConfigFile, ConfigWriter, WriterCmd, ChildProcess, ChildCmd, NodeCmd | order by ConfigWriteTime desc ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-53633: Vitest Browser: Exposed Browser Mode API Can P `UC_54_2` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-53633: Vitest Browser: Exposed Browser Mode API Can P ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("node.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("node.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-53633: Vitest Browser: Exposed Browser Mode API Can P // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("node.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("node.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-53633` ## Why this matters Severity classified as **CRIT** based on: CVE present, 9 use case(s) fired, 8 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.