From 87b40cfdbd0c5fd6675c6d21baceccbaa1bd226d Mon Sep 17 00:00:00 2001 From: Hiroshi Ogawa <4232207+hi-ogawa@users.noreply.github.com> Date: Tue, 2 Jun 2026 15:45:50 +0900 Subject: [PATCH 1/6] docs: tweak SECURITY.md --- SECURITY.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index f70013b28165..62db3be3bfea 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,7 +16,7 @@ Vitest threat model is largely based on [Vite's](https://github.com/vitejs/vite/ ### What Vitest Does Not Trust 1. **Network data and untrusted clients** - The integration built on top of Vite's dev server must treat all inbound network requests as potentially hostile. This includes malformed requests. Clients may be outside the developer's intended environment because of port-forwarding, shared networks, or accidental exposure to the internet. + The integration built on top of Vite's dev server must treat inbound requests from untrusted clients as potentially hostile. This includes malformed requests. ### What Vitest Trusts @@ -57,6 +57,7 @@ Vitest threat model is largely based on [Vite's](https://github.com/vitejs/vite/ - Malicious Plugins, Custom Commands, or Dependencies (CWE-1357): Plugins, config files, custom browser commands configured through `browser.commands`, and their dependency trees run with full trust during development. A compromised plugin or custom command that exfiltrates data, exposes privileged access without validating browser-provided input, or executes arbitrary code is a supply-chain or project-code concern, not a Vitest vulnerability. - Security Issues in the Application's Own Output: Flaws such as XSS, CSRF, or CSP misconfigurations in the bundled application are the responsibility of the application author. Vitest transforms code but does not guarantee the security properties of the output beyond the code it injects itself. - Reading Files Within Configured Paths (CWE-427): Vitest is expected to read any file the project's configuration makes reachable. Pointing Vitest at a directory that contains sensitive material is a configuration choice, not a Vitest vulnerability. +- Reachability Through Developer-Initiated Network Exposure: If the dev server becomes reachable to other machines only because the developer port-forwarded it, bound it to a public interface (e.g., `--host`), or placed it on a shared network, that exposure is a developer-managed infrastructure choice. Any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope when origin/host validation is missing or bypassable (see the in-scope examples above). - Attacker With Control Over Configuration (CWE-15): An attacker who can modify environment variables, CLI flags, or `vite.config.*`/`vitest.config.*` already controls a trusted input. Any consequences of that control are out of scope. - Bugs in the Runtime or Operating System: Vulnerabilities in Node.js, the OS kernel, or other platform-level components are not considered a vulnerability in Vitest. From 75c6fab788d0e2c23f671937073bdc40177472d7 Mon Sep 17 00:00:00 2001 From: Hiroshi Ogawa <4232207+hi-ogawa@users.noreply.github.com> Date: Tue, 23 Jun 2026 14:18:08 +0900 Subject: [PATCH 2/6] docs: clarify network threat boundary in security policy Define the in-scope untrusted client as browser-reachable (cross-origin / localhost), re-anchor the WebSocket in-scope example to a cross-origin page, and lead the network-exposure carve-out with the principle that defenses target browser-reachable attackers rather than arbitrary network peers. Co-authored-by: OpenCode (claude-opus-4-8) --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 62db3be3bfea..bae6f6f87b49 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,7 +16,7 @@ Vitest threat model is largely based on [Vite's](https://github.com/vitejs/vite/ ### What Vitest Does Not Trust 1. **Network data and untrusted clients** - The integration built on top of Vite's dev server must treat inbound requests from untrusted clients as potentially hostile. This includes malformed requests. + The integration built on top of Vite's dev server must treat inbound requests as potentially hostile, including malformed requests and requests originating from other web origins (e.g. a malicious page open in the developer's browser). The untrusted client Vitest defends against is one reaching a localhost-bound dev server through the developer's own browser, not an arbitrary network peer (see "Reachability Through Developer-Initiated Network Exposure" below). ### What Vitest Trusts @@ -50,14 +50,14 @@ Vitest threat model is largely based on [Vite's](https://github.com/vitejs/vite/ - A crafted URL causes Vitest to run arbitrary code in the browser. - `?otelCarrier` search query XSS [GHSA-2h32-95rg-cppp](https://github.com/vitest-dev/vitest/security/advisories/GHSA-2h32-95rg-cppp) - Missing or bypassable origin / host validation allows a cross-origin page to access dev-server endpoints that can cause confidentiality or integrity issues. -- An unauthenticated WebSocket client injects HMR messages that execute arbitrary JavaScript on the developer's machine or bypasses built-in Commands API's protective layer. +- A cross-origin page opens a WebSocket to the dev server and injects HMR messages that execute arbitrary JavaScript on the developer's machine, or bypasses the built-in Commands API's protective layer, when origin/host validation is missing or bypassable. ### Examples of Non-Vulnerabilities (out of scope) - Malicious Plugins, Custom Commands, or Dependencies (CWE-1357): Plugins, config files, custom browser commands configured through `browser.commands`, and their dependency trees run with full trust during development. A compromised plugin or custom command that exfiltrates data, exposes privileged access without validating browser-provided input, or executes arbitrary code is a supply-chain or project-code concern, not a Vitest vulnerability. - Security Issues in the Application's Own Output: Flaws such as XSS, CSRF, or CSP misconfigurations in the bundled application are the responsibility of the application author. Vitest transforms code but does not guarantee the security properties of the output beyond the code it injects itself. - Reading Files Within Configured Paths (CWE-427): Vitest is expected to read any file the project's configuration makes reachable. Pointing Vitest at a directory that contains sensitive material is a configuration choice, not a Vitest vulnerability. -- Reachability Through Developer-Initiated Network Exposure: If the dev server becomes reachable to other machines only because the developer port-forwarded it, bound it to a public interface (e.g., `--host`), or placed it on a shared network, that exposure is a developer-managed infrastructure choice. Any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope when origin/host validation is missing or bypassable (see the in-scope examples above). +- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers that can reach a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page); they do not attempt to authenticate arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, bound it to a public interface (e.g., `--host`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope when origin/host validation is missing or bypassable (see the in-scope examples above). - Attacker With Control Over Configuration (CWE-15): An attacker who can modify environment variables, CLI flags, or `vite.config.*`/`vitest.config.*` already controls a trusted input. Any consequences of that control are out of scope. - Bugs in the Runtime or Operating System: Vulnerabilities in Node.js, the OS kernel, or other platform-level components are not considered a vulnerability in Vitest. From 4864b20b75bc3834dbc063859ca7bb872b3516d1 Mon Sep 17 00:00:00 2001 From: Hiroshi Ogawa <4232207+hi-ogawa@users.noreply.github.com> Date: Tue, 23 Jun 2026 14:24:11 +0900 Subject: [PATCH 3/6] docs: drop redundant origin/host validation hedges The cross-origin-page in-scope example and the carve-out's in-scope note repeated the "origin/host validation missing or bypassable" precondition already stated in the example above them. Keep the cross-origin callout as the salient property and drop the redundant clauses. Co-authored-by: OpenCode (claude-opus-4-8) --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index bae6f6f87b49..5028a27f359b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -50,14 +50,14 @@ Vitest threat model is largely based on [Vite's](https://github.com/vitejs/vite/ - A crafted URL causes Vitest to run arbitrary code in the browser. - `?otelCarrier` search query XSS [GHSA-2h32-95rg-cppp](https://github.com/vitest-dev/vitest/security/advisories/GHSA-2h32-95rg-cppp) - Missing or bypassable origin / host validation allows a cross-origin page to access dev-server endpoints that can cause confidentiality or integrity issues. -- A cross-origin page opens a WebSocket to the dev server and injects HMR messages that execute arbitrary JavaScript on the developer's machine, or bypasses the built-in Commands API's protective layer, when origin/host validation is missing or bypassable. +- A cross-origin page opens a WebSocket to the dev server and injects HMR messages that execute arbitrary JavaScript on the developer's machine, or bypasses the built-in Commands API's protective layer. ### Examples of Non-Vulnerabilities (out of scope) - Malicious Plugins, Custom Commands, or Dependencies (CWE-1357): Plugins, config files, custom browser commands configured through `browser.commands`, and their dependency trees run with full trust during development. A compromised plugin or custom command that exfiltrates data, exposes privileged access without validating browser-provided input, or executes arbitrary code is a supply-chain or project-code concern, not a Vitest vulnerability. - Security Issues in the Application's Own Output: Flaws such as XSS, CSRF, or CSP misconfigurations in the bundled application are the responsibility of the application author. Vitest transforms code but does not guarantee the security properties of the output beyond the code it injects itself. - Reading Files Within Configured Paths (CWE-427): Vitest is expected to read any file the project's configuration makes reachable. Pointing Vitest at a directory that contains sensitive material is a configuration choice, not a Vitest vulnerability. -- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers that can reach a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page); they do not attempt to authenticate arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, bound it to a public interface (e.g., `--host`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope when origin/host validation is missing or bypassable (see the in-scope examples above). +- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers that can reach a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page); they do not attempt to authenticate arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, bound it to a public interface (e.g., `--host`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope (see the in-scope examples above). - Attacker With Control Over Configuration (CWE-15): An attacker who can modify environment variables, CLI flags, or `vite.config.*`/`vitest.config.*` already controls a trusted input. Any consequences of that control are out of scope. - Bugs in the Runtime or Operating System: Vulnerabilities in Node.js, the OS kernel, or other platform-level components are not considered a vulnerability in Vitest. From 03b2388f0a633db6f21eeda933fcc1159845044b Mon Sep 17 00:00:00 2001 From: Hiroshi Ogawa <4232207+hi-ogawa@users.noreply.github.com> Date: Tue, 23 Jun 2026 15:01:43 +0900 Subject: [PATCH 4/6] docs: smooth carve-out wording Fold "not arbitrary network peers" into the scoping sentence as a contrast instead of a semicolon-joined clause. Co-authored-by: OpenCode (claude-opus-4-8) --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 5028a27f359b..ae5a15d7b9e3 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -57,7 +57,7 @@ Vitest threat model is largely based on [Vite's](https://github.com/vitejs/vite/ - Malicious Plugins, Custom Commands, or Dependencies (CWE-1357): Plugins, config files, custom browser commands configured through `browser.commands`, and their dependency trees run with full trust during development. A compromised plugin or custom command that exfiltrates data, exposes privileged access without validating browser-provided input, or executes arbitrary code is a supply-chain or project-code concern, not a Vitest vulnerability. - Security Issues in the Application's Own Output: Flaws such as XSS, CSRF, or CSP misconfigurations in the bundled application are the responsibility of the application author. Vitest transforms code but does not guarantee the security properties of the output beyond the code it injects itself. - Reading Files Within Configured Paths (CWE-427): Vitest is expected to read any file the project's configuration makes reachable. Pointing Vitest at a directory that contains sensitive material is a configuration choice, not a Vitest vulnerability. -- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers that can reach a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page); they do not attempt to authenticate arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, bound it to a public interface (e.g., `--host`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope (see the in-scope examples above). +- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers reaching a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page), not arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, bound it to a public interface (e.g., `--host`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope (see the in-scope examples above). - Attacker With Control Over Configuration (CWE-15): An attacker who can modify environment variables, CLI flags, or `vite.config.*`/`vitest.config.*` already controls a trusted input. Any consequences of that control are out of scope. - Bugs in the Runtime or Operating System: Vulnerabilities in Node.js, the OS kernel, or other platform-level components are not considered a vulnerability in Vitest. From 0032324c88f29c631ae398ba898f764643a3ed0d Mon Sep 17 00:00:00 2001 From: Hiroshi Ogawa <4232207+hi-ogawa@users.noreply.github.com> Date: Tue, 23 Jun 2026 15:10:21 +0900 Subject: [PATCH 5/6] docs: cover reverse proxy and allowedHosts in network exposure carve-out Name reverse proxy / tunnel (Host rewriting) and relaxing Vite's `server.allowedHosts` as developer-initiated exposure, so reachability gained by disabling Vite's host allowlist is treated the same as port-forwarding rather than as a Vitest network-authentication gap. Co-authored-by: OpenCode (claude-opus-4-8) --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index ae5a15d7b9e3..6683f012a70b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -57,7 +57,7 @@ Vitest threat model is largely based on [Vite's](https://github.com/vitejs/vite/ - Malicious Plugins, Custom Commands, or Dependencies (CWE-1357): Plugins, config files, custom browser commands configured through `browser.commands`, and their dependency trees run with full trust during development. A compromised plugin or custom command that exfiltrates data, exposes privileged access without validating browser-provided input, or executes arbitrary code is a supply-chain or project-code concern, not a Vitest vulnerability. - Security Issues in the Application's Own Output: Flaws such as XSS, CSRF, or CSP misconfigurations in the bundled application are the responsibility of the application author. Vitest transforms code but does not guarantee the security properties of the output beyond the code it injects itself. - Reading Files Within Configured Paths (CWE-427): Vitest is expected to read any file the project's configuration makes reachable. Pointing Vitest at a directory that contains sensitive material is a configuration choice, not a Vitest vulnerability. -- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers reaching a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page), not arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, bound it to a public interface (e.g., `--host`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope (see the in-scope examples above). +- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers reaching a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page), not arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, fronted it with a reverse proxy or tunnel, bound it to a public interface (e.g. `--host`), relaxed Vite's host allowlist (`server.allowedHosts`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope (see the in-scope examples above). - Attacker With Control Over Configuration (CWE-15): An attacker who can modify environment variables, CLI flags, or `vite.config.*`/`vitest.config.*` already controls a trusted input. Any consequences of that control are out of scope. - Bugs in the Runtime or Operating System: Vulnerabilities in Node.js, the OS kernel, or other platform-level components are not considered a vulnerability in Vitest. From 031a25cd5afac4c8f8bb459641a2fbe51b5281ee Mon Sep 17 00:00:00 2001 From: Hiroshi Ogawa <4232207+hi-ogawa@users.noreply.github.com> Date: Tue, 23 Jun 2026 15:11:44 +0900 Subject: [PATCH 6/6] docs: drop allowedHosts from network exposure carve-out Whether relaxing `server.allowedHosts` is in or out of scope is Vite's call to make in Vite's own policy, not Vitest's to adjudicate. Keep the carve-out to reachability of Vitest's own server (port-forward, reverse proxy / tunnel, public bind, shared network). Co-authored-by: OpenCode (claude-opus-4-8) --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 6683f012a70b..c50ac788b482 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -57,7 +57,7 @@ Vitest threat model is largely based on [Vite's](https://github.com/vitejs/vite/ - Malicious Plugins, Custom Commands, or Dependencies (CWE-1357): Plugins, config files, custom browser commands configured through `browser.commands`, and their dependency trees run with full trust during development. A compromised plugin or custom command that exfiltrates data, exposes privileged access without validating browser-provided input, or executes arbitrary code is a supply-chain or project-code concern, not a Vitest vulnerability. - Security Issues in the Application's Own Output: Flaws such as XSS, CSRF, or CSP misconfigurations in the bundled application are the responsibility of the application author. Vitest transforms code but does not guarantee the security properties of the output beyond the code it injects itself. - Reading Files Within Configured Paths (CWE-427): Vitest is expected to read any file the project's configuration makes reachable. Pointing Vitest at a directory that contains sensitive material is a configuration choice, not a Vitest vulnerability. -- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers reaching a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page), not arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, fronted it with a reverse proxy or tunnel, bound it to a public interface (e.g. `--host`), relaxed Vite's host allowlist (`server.allowedHosts`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope (see the in-scope examples above). +- Reachability Through Developer-Initiated Network Exposure: Vitest's network defenses target attackers reaching a localhost-bound dev server through the developer's own browser (e.g. a malicious cross-origin page), not arbitrary network peers. If the dev server instead becomes reachable to other clients because the developer port-forwarded it, fronted it with a reverse proxy or tunnel, bound it to a public interface (e.g. `--host`), or placed it on a shared or untrusted network, that exposure is a developer-managed infrastructure choice, and any access or privileged dev-server behavior this reachability enables is out of scope. Browser-originated requests, which reach a localhost-bound server without such exposure, remain in scope (see the in-scope examples above). - Attacker With Control Over Configuration (CWE-15): An attacker who can modify environment variables, CLI flags, or `vite.config.*`/`vitest.config.*` already controls a trusted input. Any consequences of that control are out of scope. - Bugs in the Runtime or Operating System: Vulnerabilities in Node.js, the OS kernel, or other platform-level components are not considered a vulnerability in Vitest.