Description
Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
Published: 2026-07-14
Score: 9.8 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5xrq-8626-4rwp When Vitest UI server is listening, arbitrary file can be read and executed
History

Thu, 16 Jul 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Wed, 15 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Vitest.dev
Vitest.dev vitest
Vendors & Products Vitest.dev
Vitest.dev vitest

Tue, 14 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
Title Vitest: Arbitrary file can be read and executed when Vitest UI server is listening
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Redhat Hummingbird
Vitest.dev Vitest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-14T19:28:08.688Z

Reserved: 2026-05-19T19:37:43.527Z

Link: CVE-2026-47429

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-14T19:28:08Z

Links: CVE-2026-47429 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T13:30:04Z

Weaknesses