Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
Metrics
Affected Vendors & Products
References
History
Thu, 16 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat
Redhat hummingbird |
|
| CPEs | cpe:/a:redhat:hummingbird:1 | |
| Vendors & Products |
Redhat
Redhat hummingbird |
|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Wed, 15 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Vitest.dev
Vitest.dev vitest |
|
| Vendors & Products |
Vitest.dev
Vitest.dev vitest |
Tue, 14 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0. | |
| Title | Vitest: Arbitrary file can be read and executed when Vitest UI server is listening | |
| Weaknesses | CWE-22 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-07-14T19:28:08.688Z
Updated: 2026-07-14T19:28:08.688Z
Reserved: 2026-05-19T19:37:43.527Z
Link: CVE-2026-47429
No data.
No data.