CVE-2026-47429 PUBLISHED

Vitest: Arbitrary file can be read and executed when Vitest UI server is listening

Assigner: GitHub_M
Reserved: 19.05.2026 Published: 14.07.2026 Updated: 14.07.2026

Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /vitest_attachment, allowing \?\..\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor vitest-dev
Product vitest
Versions
  • Version < 3.2.5 is affected
  • Version >= 4.0.0, < 4.1.0 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE