Skip to content

🚨 CRITICAL: CVE-2026-47429 - Vitest UI Server Arbitrary File Read/Execute Vulnerability #2754

Description

@jjasghar

🚨 CRITICAL: CVE-2026-47429 - Vitest UI Server Arbitrary File Read/Execute Vulnerability

Severity: CRITICAL

GHSA: GHSA-5xrq-8626-4rwp
CVE: CVE-2026-47429
Affected Package: vitest
Impact: Remote Code Execution (RCE)

Description

Critical vulnerability in Vitest UI server allowing arbitrary file read and execution when the Vitest UI server is listening. This could enable attackers to execute malicious code on systems running vulnerable versions of agentstack with Vitest UI enabled.

Impact Details

  • Arbitrary File Read: Attackers can read files they shouldn't have access to
  • Arbitrary Code Execution: Files can be executed, leading to full system compromise
  • Affected Files: 30 files in the repository

Remediation Steps

  1. Update vitest package to the patched version as specified in GHSA-5xrq-8626-4rwp
  2. Disable Vitest UI server if not required in production environments
  3. Audit all instances where Vitest UI might be enabled
  4. Review dependency tree for transitive dependencies using vulnerable vitest versions

References

Priority

IMMEDIATE ACTION REQUIRED - This vulnerability allows remote code execution and affects a significant number of files in the codebase.


Automated security scan detected this critical vulnerability. Please prioritize remediation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type
    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions