<Vulnerability name="CVE-2026-47429">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-14T19:28:08</PublicDate>
    <Bugzilla id="2500573" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500573" xml:lang="en:us">
vitest: Vitest: Arbitrary code execution and information disclosure via path traversal
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>8.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Vitest, a testing framework. On Windows, the Vitest UI/API server incorrectly handled file serving, which could allow an attacker to read sensitive files outside the project directory. Additionally, exposed API features could be exploited to execute arbitrary scripts, leading to potential system compromise.
    </Details>
    <Statement xml:lang="en:us">
Vitest ships a UI and API server (enabled via the --ui or --api flags, or automatically as part of Browser Mode) that exposes file read, file write, and test-rerun functionality over HTTP. Due to an incorrect path-traversal check in the /__vitest_attachment__ handler and related code paths, a remote attacker who can reach this server can read arbitrary files, and via the write/rerun features can achieve arbitrary code execution. Exploitation requires either exposing the server to a network host (--api.host / api.host config) or running the UI/Browser Mode on Windows.

Red Hat's shipped products use vitest exclusively as a development-time unit test runner (invoked as `vitest run`, `test:unit`, or `--project` in CI/build pipelines). None of the Red Hat products that ship vitest start its UI server, API server, or Browser Mode as part of their build process or shipped runtime. The @vitest/browser package (required for Browser Mode) is not present in any Red Hat product's manifest. As a result, the vulnerable code path is not reachable in any Red Hat product covered by this flaw, and affects are set to NOTAFFECTED / Vulnerable Code not in Execute Path.
    </Statement>
    <Mitigation xml:lang="en:us">
No mitigation is required for Red Hat products, as none run Vitest's UI/API server or Browser Mode in their build or shipped runtime.

Developers who run `vitest --ui`, `vitest --api`, or Browser Mode interactively should avoid binding the server to a non-localhost host, and should upgrade to vitest &gt;= 4.1.0 (or &gt;= 3.2.5 on the 3.x branch), where the allowWrite/allowExec flags default to disabled whenever the server is bound to a non-localhost host.
    </Mitigation>
    <AffectedRelease impact="critical" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-13T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:39058">RHSA-2026:39058</Advisory>
        <Package name="prometheus3-13-main">prometheus3-13-main-3.13.1-0.1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vitest</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>ansible-automation-platform-26/gateway-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>ansible-automation-platform-27/gateway-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>automation-platform-ui</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vitest</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:podman_desktop:1">
        <ProductName>Red Hat Build of Podman Desktop</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rh-podman-desktop.git</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vitest</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vitest</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift4/ose-agent-installer-ui-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-47429
https://nvd.nist.gov/vuln/detail/CVE-2026-47429
https://github.com/vitest-dev/vitest/commit/20e00ef7808de6d330c5e2fda530f686e08f1c8d
https://github.com/vitest-dev/vitest/commit/af88b1f5d82844a4761ea9a977156c98e2b14ca8
https://github.com/vitest-dev/vitest/pull/10445
https://github.com/vitest-dev/vitest/pull/9350
https://github.com/vitest-dev/vitest/releases/tag/v3.2.5
https://github.com/vitest-dev/vitest/releases/tag/v4.1.0
https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp
    </References>
</Vulnerability>