Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot Alert: Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening #750

Open
JennaySDavis opened this issue Feb 3, 2025 · 2 comments
Open

Dependabot Alert: Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening #750

JennaySDavis opened this issue Feb 3, 2025 · 2 comments
Assignees
@johnbeallgsa
Labels
Dependabot Alert Sprint 49

Comments

@JennaySDavis
Copy link
Contributor

JennaySDavis commented Feb 3, 2025
edited
Loading

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
@JennaySDavis JennaySDavis added Addition to Sprint The ticket is in addition to the planned sprint work Admin User (Separation) labels Feb 3, 2025
@JennaySDavis JennaySDavis changed the title Remove APOC Access from User Profile - Beth White from DOS Reuse Feb 3, 2025
@JennaySDavis JennaySDavis removed Addition to Sprint The ticket is in addition to the planned sprint work Admin User (Separation) Sprint 48 labels Feb 3, 2025
@JennaySDavis JennaySDavis changed the title Reuse Dependabot Alert: Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening Feb 4, 2025
@JennaySDavis
Copy link
Contributor Author

Acceptance Criteria

Pass/Fail Description
Pass Full Regression Testing of Training

Comments/Additional Notes
N/A

ADA Compliance (Automated scan via Chrome Lighthouse)

Criteria Score
Performance 100
Accessibility 100
Best Practices 100

Passed 02/12/2025 - JSD

@johnbeallgsa
Copy link

Thanks for showing during Demo. Moving to Done.

felder101 added a commit that referenced this issue Feb 20, 2025
@felder101
Production Release
e3e7af5 
Includes the following Sprint 49 issues:

Dependabot Alert: Websites were able to send any requests to the development server and read the response in vite #753

Dependabot Alert: Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening #750
@felder101 felder101 mentioned this issue Feb 20, 2025
Merged
felder101 added a commit that referenced this issue Feb 21, 2025
@felder101
Production Release (#764)
2a6890a 
Includes the following Sprint 49 issues:

Dependabot Alert: Websites were able to send any requests to the development server and read the response in vite #753

Dependabot Alert: Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening #750
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnbeallgsa johnbeallgsa

Labels
Dependabot Alert Sprint 49
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@felder101 @johnbeallgsa @JennaySDavis