CVE-2026-47429

CVE-2026-47429 describes a path traversal vulnerability affecting the Vitest UI server. This flaw arises from the incorrect use of the `isFileServingAllowed` function within the API handler for the `/__vitest_attachment__` endpoint, particularly on Windows systems. Attackers can manipulate the `path` parameter to bypass security checks, allowing them to read arbitrary files from the server's filesystem. Beyond arbitrary file reading, the vulnerability extends to arbitrary file write and delete operations through functions like `writeFile`, `removeFile`, and `saveSnapshotFile`. This can ultimately lead to remote code execution when the Vitest UI server is exposed to the network. Mitigations include improved path validation and the introduction of new configuration flags, `allowWrite` and `allowExec`, which are disabled by default when the API server is bound to a non-localhost host.