Path traversal in vitest - #VU137283
Published: July 9, 2026
vitest
Detailed vulnerability description
The vulnerability allows a remote attacker to read, create, overwrite, or delete arbitrary files accessible to the Vitest process.
The vulnerability exists due to path traversal in Browser Mode provider commands when handling client-supplied file paths through the Browser Mode API. A remote attacker can send crafted command inputs with absolute paths or traversal sequences to read, create, overwrite, or delete arbitrary files accessible to the Vitest process.
This is most relevant when the Browser Mode API is reachable from another machine or origin, or when untrusted test code is relied upon to be contained by the file-access restriction.