External risk intelligence

Vitest UI Path Traversal and Script Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-47429

Vitest is a testing framework used by developers for local testing and build-time environments. The UI/API server component is intended for local execution during development or CI/CD pipelines, not for deployment as a public-facing internet service.

Path Traversal

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Vitest testing framework could allow unauthorized access to files and execution of scripts on systems using specific versions. This impacts the integrity and confidentiality of data within the affected projects. The primary concern is to confirm if Vitest is used within the organization and if the affected versions are present.

  • Testing tool allows unauthorized access and script execution.
  • Confirms if Vitest is relevant and exposed.
  • Verify Vitest usage and update if applicable.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to the Vitest UI/API server, which is accessible over the network. This could allow them to read sensitive files from the server's file system or execute arbitrary scripts, potentially leading to significant compromise.

  • Network access to the UI/API server is required.
  • Path traversal in file serving allows arbitrary file reads.
  • Arbitrary script execution and data theft are possible.

Live Threat

Current exploitation, exposure, and threat context

When the Vitest UI/API server is improperly configured on Windows, an attacker could exploit a path traversal vulnerability to read sensitive files outside the project directory. Additionally, exposed API write and rerun features could allow arbitrary script execution.

  • Sensitive files outside the project.
  • Path traversal and exposed API features.
  • Arbitrary script execution and file disclosure.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for local development environments or CI/CD pipelines should address this vulnerability, as it affects the Vitest UI/API server. The first practical step is to identify all instances of the affected software, confirm if they are exposed externally, and then prioritize remediation based on the potential business impact and risk.

  • Ownership: Development or platform teams.
  • Verify first: Identify all instances and exposure.
  • Action: Plan updates during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Vitest?

Vitest is a popular unit testing framework built for the Vite ecosystem. It is primarily used by developers to run tests during the software development lifecycle, typically within local machine environments or automated CI/CD build pipelines, rather than as a permanent production application server.

How does CVE-2026-47429 affect Vitest?

This vulnerability is classified as CWE-22, or Path Traversal. In affected Windows versions, the Vitest UI/API server mishandles file requests, allowing an attacker to navigate outside the intended project folder to access sensitive system files. Furthermore, the issue exposes administrative API functions, which can be leveraged to execute arbitrary scripts on the host system.

Do I need network access to trigger this bug?

Yes, an attacker must reach the Vitest UI/API server over the network to send the malicious requests. This vulnerability does not trigger if the Vitest server is not active or if it is isolated from all network communication. Simply having the library installed in a project without running the UI/API component does not invoke the flawed code path.

Is my environment at risk according to Halo Surface Signal?

Halo Surface Signal notes that because Vitest is designed for local development and build pipelines, it is very unlikely to be intended as a public-facing internet service. However, you should still evaluate if your specific development or CI/CD infrastructure is inadvertently exposed to external networks, which would increase the risk profile of this vulnerability.

How do I secure my systems against this threat?

The most effective response is to update your Vitest installation. The maintainers have released versions 3.2.5 and 4.1.0 which resolve the path traversal and API exposure flaws. As a first step, inventory your development environments and CI/CD pipelines to identify any running instances of the affected versions, then schedule an update to the patched releases.

References