External risk intelligence

Vitest Browser Mode JavaScript Execution and Token Exposure

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-47428

Vitest is a testing framework primarily used by developers in build-time or local development environments. It is not intended to be deployed as a public-facing service, web application, or internet-accessible gateway. Exposure would require an administrator to intentionally and incorrectly expose a development-only testing tool to the public internet.

Cross-site Scripting

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

Vitest, a development tool for Vite projects, has a vulnerability that could allow arbitrary JavaScript execution within the Vitest server. This could lead to the exposure of authentication tokens, impacting the integrity of authenticated API calls. While this tool is typically used in development environments, any instance exposed externally could be at risk.

  • Testing tool vulnerability risks token exposure.
  • Developers use this tool, not typically public-facing.
  • Confirm if this development tool is externally exposed.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted URL. This URL would leverage Vitest's browser mode to execute arbitrary JavaScript within the context of the Vitest server. If successful, the attacker could potentially steal sensitive authentication tokens, enabling them to perform authenticated API calls.

  • No authentication required.
  • Crafted URL triggers script execution.
  • Arbitrary JavaScript execution and token theft.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a crafted browser-runner URL could execute arbitrary JavaScript within the Vitest server origin. This could potentially allow for the recovery of the VITEST_API_TOKEN, enabling authenticated API calls.

  • Test server origin and tokens at risk.
  • Malicious URL could execute JavaScript.
  • Unauthorized API access may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for development environments and CI/CD pipelines should investigate this issue first, as Vitest is a testing framework typically used in these contexts. The initial action involves identifying all instances of Vitest within the development and testing infrastructure, determining their reachability and criticality, and then coordinating with development or platform teams for remediation during planned maintenance windows.

  • Identify Vitest instances and assess reachability.
  • Accountable owner must be confirmed.
  • Plan remediation based on confirmed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Vitest and its role in software development?

Vitest is a popular testing framework built for the Vite ecosystem. Developers use it to run automated tests for their applications, typically during local development or within automated build pipelines. Because it is designed to verify code before deployment, it is generally kept within internal development environments rather than running as a public-facing application.

How does CVE-2026-47428 create a security risk?

This vulnerability is classified as CWE-79, or Cross-Site Scripting (XSS). It happens because the framework improperly handles data from a URL parameter, allowing it to be injected into a script. This flaw lets an attacker execute unauthorized JavaScript in the Vitest server's context, which can be used to steal sensitive data like the VITEST_API_TOKEN.

What must occur for this vulnerability to be triggered?

An attacker needs to trick a user into visiting a specially crafted URL that interacts with the Vitest browser-runner. Simply running Vitest in a secure, isolated environment does not trigger this. The issue specifically arises from the way the otelCarrier query parameter is processed, meaning normal test execution without a malicious URL remains unaffected.

Is my infrastructure at risk from this flaw?

According to Halo Surface Signal, this risk is very unlikely for most users. Vitest is intended for private development or build-time tasks, not for public web services. Your environment is only at significant risk if an administrator has intentionally and incorrectly exposed a development-only Vitest instance to the public internet.

What are the first steps to address CVE-2026-47428?

Start by auditing your development infrastructure and CI/CD pipelines to identify where Vitest is currently running. Prioritize instances that might be reachable beyond internal networks. Once identified, verify if you are using an affected version and coordinate with your development teams to update to version 4.1.6 or 5.0.0-beta.3.

References