Vitest Windows Path Traversal & Exec (3.2.5/4.1.0)
CVE-2026-47429 Published on July 14, 2026
Vitest: Arbitrary file can be read and executed when Vitest UI server is listening
Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
Vulnerability Analysis
CVE-2026-47429 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-47429 has been classified to as a Directory traversal vulnerability or weakness.
Affected Versions
vitest-dev vitest:- Version < 3.2.5 is affected.
- Version >= 4.0.0, < 4.1.0 is affected.