@forgerock/create-package-0.0.1.tgz: 2 vulnerabilities (highest severity is: 9.6) - autoclosed #9
Description
Vulnerable Library - @forgerock/create-package-0.0.1.tgz
Path to vulnerable library: /package.json
Found in HEAD commit: ee8c7aafbe3b941a4da35bf641d2e93842f23673
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (@forgerock/create-package version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-24964 |  Critical |
9.6 | vitest-1.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-24010 |  Medium |
6.5 | vite-5.4.8.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-24964
Vulnerable Library - vitest-1.5.0.tgz
Library home page: https://registry.npmjs.org/vitest/-/vitest-1.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/create-package-0.0.1.tgz (Root Library)
- ❌ vitest-1.5.0.tgz (Vulnerable Library)
Found in HEAD commit: ee8c7aafbe3b941a4da35bf641d2e93842f23673
Found in base branch: main
Vulnerability Details
Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When "api" option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has "saveTestFile" API that can edit a test file and "rerun" API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the "saveTestFile" API and then running that file by calling the "rerun" API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2025-02-04
URL: CVE-2025-24964
CVSS 3 Score Details (9.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9crc-q9x8-hgqq
Release Date: 2025-02-04
Fix Resolution: vitest - 1.6.1,2.1.9,3.0.5
CVE-2025-24010
Vulnerable Library - vite-5.4.8.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/create-package-0.0.1.tgz (Root Library)
- vitest-1.5.0.tgz
- ❌ vite-5.4.8.tgz (Vulnerable Library)
- vitest-1.5.0.tgz
Found in HEAD commit: ee8c7aafbe3b941a4da35bf641d2e93842f23673
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6.
Publish Date: 2025-01-20
URL: CVE-2025-24010
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vg6x-rcgg-rjx6
Release Date: 2025-01-20
Fix Resolution: vite - 4.5.6,5.4.12,6.0.9