CVE-2026-47429
vitest-dev · vitest
The Vitest UI/API server is vulnerable to path traversal and arbitrary script execution due to improper path validation on Windows systems.
Executive summary
A critical path traversal and remote code execution vulnerability in the Vitest testing framework allows unauthenticated attackers to read sensitive files and execute arbitrary scripts.
Vulnerability
This vulnerability consists of a path traversal flaw (CWE-22) in the Vitest UI/API server on Windows, caused by the incorrect use of isFileServingAllowed. Attackers can leverage this to read arbitrary files or trigger API features such as saveTestFile and rerun to execute scripts.
Business impact
The ability to read arbitrary files and execute code provides an attacker with complete control over the testing environment. Given the CVSS score of 9.8, this could lead to the exposure of source code, environment secrets, and intellectual property, as well as the potential compromise of the developer's build pipeline.
Remediation
Immediate Action: Update Vitest to version 3.2.5 or 4.1.0 immediately to apply the necessary path validation fixes.
Proactive Monitoring: Monitor server access logs for path traversal patterns such as double-backslashes or directory navigation sequences.
Compensating Controls: Restrict access to the Vitest UI/API port to local or trusted internal networks only, and ensure that build servers are isolated from untrusted internet traffic.
Exploitation status
Public Exploit Available: Yes, a public proof-of-concept is available via GitHub (cve-lite-on-pi).
Analyst recommendation
This vulnerability is highly dangerous due to the availability of proof-of-concept code and the broad access it grants an attacker. All development and CI/CD environments utilizing the affected versions of Vitest must be patched without delay.