SB2026052282 - Improper access control in vitest

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2026-47429)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to read arbitrary files and execute arbitrary code.

The vulnerability exists due to improper access control in the Vitest UI server API and Browser Mode file operation endpoints when handling crafted API requests to exposed file read, write, and rerun functionality. A remote attacker can send specially crafted requests to read arbitrary files and execute arbitrary code.

On Windows, the file-serving check can be bypassed using a crafted path such as \\?\\..\\. Only instances that expose the Vitest UI server to the network or run the Vitest UI or Browser Mode on Windows are affected.

Remediation

Install update from vendor's website.

References

• https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77