Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
History

Thu, 16 Jul 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Wed, 15 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Vitest.dev
Vitest.dev vitest
Vendors & Products Vitest.dev
Vitest.dev vitest

Tue, 14 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
Title Vitest: Arbitrary file can be read and executed when Vitest UI server is listening
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-14T19:28:08.688Z

Updated: 2026-07-14T19:28:08.688Z

Reserved: 2026-05-19T19:37:43.527Z

Link: CVE-2026-47429

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-14T19:28:08Z

Links: CVE-2026-47429 - Bugzilla