CVE-2026-47429

Name of the Vulnerable Software and Affected Versions Vitest versions prior to 4.1.0

Description A flaw in the UI/API server on Windows allows remote attackers to bypass file access restrictions and read arbitrary files when the server is exposed to the network. The issue occurs because the API handler for the "/ vitest attachment " endpoint incorrectly uses the isFileServingAllowed function, which fails to properly validate paths using cleanUrl before file system operations. This allows a bypass using the ?.. sequence on Windows systems.

Furthermore, the API can be abused to achieve remote code execution by using the saveTestFile function to write a script as a test file and then executing it via the rerun feature. In browser mode, the readFile, writeFile, and saveSnapshotFile functions can be exploited to gain unauthorized file read and write access.

Recommendations Upgrade to version 4.1.0 or later. As a temporary mitigation, avoid exposing the Vitest UI server to the network by not using the --api.host flag or the api.host configuration option. Ensure that the allowWrite and allowExec configuration flags are disabled when the API server is bound to a non-localhost host to restrict privileged operations.