Vitest Arbitrary File Read Vulnerability

hello@craftedsignal.io — Mon, 01 Jun 2026 14:15:03 +0000

A critical vulnerability exists in Vitest versions prior to 4.1.0 that allows arbitrary file reads on Windows systems when the Vitest UI server is active, particularly if exposed to the network. The flaw stems from the incorrect usage of the deprecated isFileServingAllowed function within the /__vitest_attachment__ API handler. By using the \\?\\..\\ path traversal technique, attackers can bypass intended security checks and access files outside the project directory. This vulnerability, identified as CVE-2026-47429, could also lead to arbitrary script execution due to the API’s rerun and file write capabilities. To mitigate this, Vitest now includes allowWrite and allowExec configuration flags, which are disabled by default when the API server is bound to a non-localhost host.

Attack Chain

Attacker identifies a vulnerable Vitest instance with its UI server exposed to the network, running on a Windows system.
Attacker obtains the API token by sending a request to http://localhost:51204/__vitest__/.
Attacker crafts a malicious request to the /__vitest_attachment__ endpoint with a path traversal payload: http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN.
The isFileServingAllowed check is bypassed due to the use of the \\?\\..\\ sequence.
The Vitest server reads the content of the specified file (secret.txt) outside the intended project directory.
The attacker receives the content of the file in the response.
Attacker leverages the API’s rerun feature and file write feature (saveTestFile) to write a malicious test file containing arbitrary code.
Attacker uses the rerun feature to execute the newly created test file, achieving arbitrary script execution.

Impact

Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the affected system. If the attacker is able to read sensitive files containing credentials or configuration data, it could lead to further compromise of the system or network. The ability to execute arbitrary scripts allows for full system compromise, data exfiltration, or denial-of-service attacks. This vulnerability affects any Vitest instances with UI server exposed to network and running on Windows prior to version 4.1.0

Recommendation

Upgrade Vitest to version 4.1.0 or later to patch CVE-2026-47429.
Ensure that the allowWrite and allowExec configuration flags are disabled when the Vitest API server is bound to a non-localhost host as per the vendor mitigations.
Monitor network traffic for suspicious requests to the /__vitest_attachment__ endpoint with path traversal sequences using the Sigma rule provided below.
Monitor process creation for unexpected script execution originating from the Vitest process using the provided Sigma rule.

Vitest Browser Mode XSS via otelCarrier Parameter Leads to RCE

hello@craftedsignal.io — Mon, 01 Jun 2026 14:14:49 +0000

The Vitest browser mode is susceptible to a reflected cross-site scripting (XSS) vulnerability. Specifically, the otelCarrier query parameter, when passed to the /__vitest_test__/ endpoint, is directly inserted into an inline module script without proper sanitization. This allows an attacker to inject arbitrary JavaScript code that executes within the Vitest server’s origin. The generated page also contains VITEST_API_TOKEN, which is used for authenticating Vitest WebSocket APIs, leading to potential token compromise and authenticated API calls. This issue affects Vitest versions >= 4.0.17 and < 4.1.6, as well as >= 5.0.0-beta.0 and < 5.0.0-beta.3, impacting users running Vitest browser mode. A successful exploit requires a victim to open a crafted Vitest browser-runner URL while the Vitest browser server is active.

Attack Chain

The attacker crafts a malicious URL targeting the /__vitest_test__/ endpoint, embedding JavaScript code within the otelCarrier query parameter.
The victim opens the attacker-crafted URL in a web browser while the Vitest browser server is running.
The Vitest server reflects the unsanitized otelCarrier parameter directly into an inline module script within the generated HTML page.
The injected JavaScript executes within the victim’s browser, in the Vitest server origin.
The attacker’s script accesses window.VITEST_API_TOKEN, compromising the Vitest WebSocket API token.
The attacker uses the compromised API token to authenticate with the Vitest WebSocket API endpoint at /__vitest_browser_api__.
The attacker calls the triggerCommand function via the WebSocket to write a malicious payload into the vite.config.ts file.
Vitest/Vite reloads the modified configuration file, resulting in the execution of the injected code within the Node.js environment, achieving remote code execution (RCE).

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code within the Vitest server’s origin. In a default local browser-mode setup, this XSS can be leveraged to compromise the Vitest API token, leading to server-side code execution. A confirmed proof of concept demonstrates modifying vite.config.ts to execute arbitrary code in Node. This issue poses a significant risk to developers and CI/CD environments using Vitest in browser mode.

Recommendation

Apply the patch or upgrade to a non-vulnerable version of @vitest/browser to address CVE-2026-47428.
Deploy the Sigma rule “Detect Vitest otelCarrier Parameter Injection” to identify potential exploitation attempts by detecting suspicious characters in the otelCarrier query parameter within web server logs.
Block access to the known malicious URLs (e.g., http://localhost:63315/__vitest_test__/?otelCarrier=(alert(%22xss%20via%20otelCarrier%22)%2Cnull)) listed in the IOC section at the network perimeter.

Vitest — CraftedSignal Threat Feed

Vitest Arbitrary File Read Vulnerability

Attack Chain

Impact

Recommendation

Vitest Browser Mode XSS via otelCarrier Parameter Leads to RCE

Attack Chain

Impact

Recommendation