Path Traversal Vulnerability in Vitest Framework for Windows
CVE-2026-47429

9.8CRITICAL

Key Information:

Vendor

Vitest-dev

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-47429?

The Vitest framework for Windows, specifically versions prior to 3.2.5 and 4.1.0, contains a path traversal vulnerability in its UI/API server. This vulnerability arises from the incorrect implementation of isFileServingAllowed for the /vitest_attachment endpoint. As a result, it allows attackers to traverse directories, potentially reading sensitive files outside the intended project directory. Additionally, the exposed API features, such as saveTestFile and rerun, could be manipulated to execute arbitrary scripts, increasing the risk of unauthorized actions on the server. Users are urged to upgrade to the latest versions, 3.2.5 or 4.1.0, to mitigate this risk.

Affected Version(s)

vitest < 3.2.5 < 3.2.5

vitest >= 4.0.0, < 4.1.0 < 4.0.0, 4.1.0

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.