Path traversal in vitest - #VU137283

 

Path traversal in vitest - #VU137283

Published: July 9, 2026


Vulnerability identifier: #VU137283
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Vitest
Affected software:
vitest

Detailed vulnerability description

The vulnerability allows a remote attacker to read, create, overwrite, or delete arbitrary files accessible to the Vitest process.

The vulnerability exists due to path traversal in Browser Mode provider commands when handling client-supplied file paths through the Browser Mode API. A remote attacker can send crafted command inputs with absolute paths or traversal sequences to read, create, overwrite, or delete arbitrary files accessible to the Vitest process.

This is most relevant when the Browser Mode API is reachable from another machine or origin, or when untrusted test code is relied upon to be contained by the file-access restriction.


Remediation

Install security update from vendor's website.

Sources