CVE-2026-47429
Gravedad CVSS v3.1:
CRÍTICA
Tipo:
CWE-22
Limitación incorrecta de nombre de ruta a un directorio restringido (Path Traversal)
Fecha de publicación:
14/07/2026
Última modificación:
14/07/2026
Descripción
*** Pendiente de traducción *** Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
Impacto
Puntuación base 3.x
9.80
Gravedad 3.x
CRÍTICA
Referencias a soluciones, herramientas e información
- https://github.com/vitest-dev/vitest/commit/20e00ef7808de6d330c5e2fda530f686e08f1c8d
- https://github.com/vitest-dev/vitest/commit/af88b1f5d82844a4761ea9a977156c98e2b14ca8
- https://github.com/vitest-dev/vitest/pull/10445
- https://github.com/vitest-dev/vitest/pull/9350
- https://github.com/vitest-dev/vitest/releases/tag/v3.2.5
- https://github.com/vitest-dev/vitest/releases/tag/v4.1.0
- https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp



