CVE-2026-47429

Summary

Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /vitest_attachment, allowing \?\..\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.

Affected Software

VendorProductVersion RangeStatus
vitest-devvitest< 3.2.5affected
vitest-devvitest>= 4.0.0, < 4.1.0affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References