Threat Advisory

Vitest Browser Vulnerability Enables Remote Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Vitest, the JavaScript testing framework, specifically the @vitest/browser package versions >=4.0.17 <4.1.6 and >=5.0.0-beta.0 <5.0.0-beta.3, and the core vitest package versions <4.1.0. The issues include reflected cross‑site scripting that leads to remote code execution, and an unsafe file‑serving check that enables arbitrary file read and write on Windows hosts. Exploitation can allow an attacker to execute malicious JavaScript in the Vitest server origin, steal authentication tokens, modify configuration files, and run arbitrary code on the host system, potentially compromising the entire development pipeline.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Vitest, the JavaScript testing framework, specifically the @vitest/browser package versions >=4.0.17 <4.1.6 and >=5.0.0-beta.0 <5.0.0-beta.3, and the core vitest package versions <4.1.0. The issues include reflected cross‑site scripting that leads to remote code execution, and an unsafe file‑serving check that enables arbitrary file read and write on Windows hosts. Exploitation can allow an attacker to execute malicious JavaScript in the Vitest server origin, steal authentication tokens, modify configuration files, and run arbitrary code on the host system, potentially compromising the entire development pipeline.[emaillocker id="1283"]

  • CVE-2026-47428 with a CVSS score of 9.6 – Reflected XSS in the @vitest/browser server inserts the otelCarrier query parameter directly into an inline script, allowing an attacker who can lure a victim to a crafted URL to execute arbitrary JavaScript in the Vitest origin and harvest the VITEST_API_TOKEN for further API abuse.
  • CVE-2026-47429 with a CVSS score of 9.8 – Improper file‑serving validation in the Vitest UI API permits path traversal on Windows, enabling an attacker with network access to the UI server to read arbitrary files and, via the write API, inject and execute malicious scripts.

These flaws present immediate, high‑severity risk to any organization using Vitest in browser or UI mode, especially when the server is exposed beyond localhost. An attacker could steal credentials, read sensitive files, or achieve remote code execution, potentially disrupting development workflows and exposing proprietary code. Prompt awareness and containment are essential while remediation is planned.

RECOMMENDATION:

  • We recommend you to update npm/@vitest/browser to version 4.1.6. We recommend you to update npm/@vitest/browser to version 5.0.0-beta.3. We recommend you to update npm/vitest to version 4.1.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-2h32-95rg-cppp
https://github.com/advisories/GHSA-5xrq-8626-4rwp

[/emaillocker]
crossmenu