Path Traversal Vulnerability in Vitest Framework for Windows
CVE-2026-47429
9.8CRITICAL
What is CVE-2026-47429?
The Vitest framework for Windows, specifically versions prior to 3.2.5 and 4.1.0, contains a path traversal vulnerability in its UI/API server. This vulnerability arises from the incorrect implementation of isFileServingAllowed for the /vitest_attachment endpoint. As a result, it allows attackers to traverse directories, potentially reading sensitive files outside the intended project directory. Additionally, the exposed API features, such as saveTestFile and rerun, could be manipulated to execute arbitrary scripts, increasing the risk of unauthorized actions on the server. Users are urged to upgrade to the latest versions, 3.2.5 or 4.1.0, to mitigate this risk.
Affected Version(s)
vitest < 3.2.5 < 3.2.5
vitest >= 4.0.0, < 4.1.0 < 4.0.0, 4.1.0
