When Vitest UI server is listening, arbitrary file can be read and executed
Description
Vitest UI server on Windows allows arbitrary file read and script execution due to improper use of isFileServingAllowed, enabling remote code execution when exposed to the network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vitest UI server on Windows allows arbitrary file read and script execution due to improper use of isFileServingAllowed, enabling remote code execution when exposed to the network.
Vulnerability
CVE-2026-47429 affects Vitest versions below 4.1.0 when running on Windows with the Vitest UI or Browser Mode, and the API server is explicitly exposed to the network via --api.host or the api.host config option [1][2]. The API handler for /__vitest_attachment__ incorrectly uses the deprecated isFileServingAllowed function without calling cleanUrl on the path parameter before performing the file system check [1][2]. This makes it possible to bypass the access control using a path like \?\..\ on Windows, which is not exploitable on Linux because Linux errors if a directory named ? does not exist [1][2].
Exploitation
An attacker who can reach the exposed Vitest UI server can craft a request to __vitest_attachment__ with a path containing \?\..\ to bypass the isFileServingAllowed check and read arbitrary files from the filesystem [1]. Furthermore, the API provides rerun and file writing capabilities (saveTestFile, and on Browser Mode readFile / writeFile / saveSnapshotFile), allowing an attacker to write a malicious script as a test file and then trigger its execution via the rerun API [1][2]. No authentication is required beyond network access to the UI server [1].
Impact
An attacker gains the ability to read any arbitrary file on the Windows filesystem and to execute arbitrary JavaScript code with the privileges of the Vitest process [1][2]. This leads to full remote code execution in scenarios where the UI server is exposed to the network, resulting in complete compromise of the application and host system [1][2].
Mitigation
The vulnerability is fixed in Vitest version 4.1.0 [1][2]. Users should update to 4.1.0 or later. For users who cannot immediately upgrade, the only effective workaround is to avoid exposing the Vitest UI server to the network and to not run Vitest UI or Browser Mode on Windows if network exposure is required [1][2]. There is no patch for versions prior to 4.1.0 [1][2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The deprecated `isFileServingAllowed` function is called without first sanitizing the path via `cleanUrl`, allowing a `\?\..\` path-traversal bypass on Windows."
Attack vector
An attacker can send a crafted HTTP request to the Vitest UI server's `/__vitest_attachment__` endpoint with a `path` parameter containing `\?\..\` to bypass the `isFileServingAllowed` check on Windows [ref_id=1]. This path traversal technique works because the deprecated function expects the path to be sanitized by `cleanUrl` before the check, but the handler does not perform that sanitization [ref_id=2]. The attack requires the Vitest UI server to be exposed to the network (via `--api.host` or `api.host` config) or be running on Windows [ref_id=1]. Additionally, even without the path-traversal bypass, the API's built-in `rerun` and file-write features (`saveTestFile`) allow an attacker who can reach the server to write arbitrary test files and execute them, achieving remote code execution [ref_id=2].
Affected code
The vulnerability resides in the `/__vitest_attachment__` handler in `packages/ui/node/index.ts` (line 77) and similar `isFileServingAllowed` checks in `packages/vitest/src/api/setup.ts` (lines 103-105, 119-121), `packages/browser/src/node/commands/fs.ts` (lines 10-11), `packages/browser/src/node/plugin.ts` (lines 194-196), and `packages/browser/src/node/rpc.ts` (lines 115-121). These calls pass a path that has not been cleaned via `cleanUrl`, allowing the bypass.
What the fix does
The advisory states that Vitest introduced two new configuration flags, `allowWrite` and `allowExec`, which are disabled by default when the API server is bound to a non-`localhost` host [ref_id=2]. When these flags are disabled, the UI enters a read-only mode that disables in-browser code editing, test file execution, and many Browser Mode features (attachments, artifacts, snapshots), removing the attack surface that allowed remote code execution and file read/write [ref_id=2]. Users who need the full interactive UI on a networked host must explicitly set `allowWrite` and/or `allowExec` to `true`. The patch does not appear to fix the `isFileServingAllowed` bypass itself; instead it mitigates the broader abuse by gating the privileged API operations.
Preconditions
- configVitest UI server must be exposed to the network via --api.host or api.host config, or the server must be running on Windows.
- networkAttacker must be able to reach the Vitest UI server's HTTP endpoint.
- inputFor the path-traversal bypass, the server must be on Windows (Linux errors if a directory named ? does not exist).
Reproduction
1. Run Vitest UI. 2. Get the API token by `curl http://localhost:51204/__vitest__/`. 3. Run `curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN"` (TOKEN is the API token). 4. curl shows the content of `secret.txt` that is outside the project directory.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-5xrq-8626-4rwpghsaADVISORY
- github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.tsghsa
- github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.tsghsa
- github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.tsghsa
- github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.tsghsa
- github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.tsghsa
- github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.tsghsa
- github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwpghsa
News mentions
0No linked articles in our index yet.