chore: bump up vitest version to v3.2.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vitest (source)	3.1.3 → 3.2.6
vitest (source)	3.2.4 → 3.2.6

---

When Vitest UI server is listening, arbitrary file can be read and executed

CVE-2026-47429 / GHSA-5xrq-8626-4rwp

More information

Details

Summary

Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.

Impact

Only users that match either of the following conditions are affected:

• explicitly exposes the Vitest UI server to the network (using --api.host or api.host config option)
• running the Vitest UI or Browser Mode on Windows

Details

The API handler for /__vitest_attachment__ uses the deprecated isFileServingAllowed incorrectly.
https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use cleanUrl after the check before file system related operation.
Because of this, it is possible to bypass the check by \\?\\..\\. This is not possible on Linux as Linux errors if a directory named ? does not exist.

A similar problem exists in other places as well.

• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121

That said, this isFileServingAllowed check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using saveTestFile and running it using rerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.
On the browser mode side, there're readFile / writeFile / saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.

PoC

1. Run Vitest UI
2. Get the API token by curl http://localhost:51204/__vitest__/
3. Run curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN" (TOKEN is the API token)
4. curl shows the content of secret.txt that is outside the project directory

Mitigations

Vitest now ships two configuration flags, allowWrite and allowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhost host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.

When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See browser.api.

Users who require the full interactive UI on a networked host must explicitly opt in by setting allowWrite and/or allowExec to true.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121
• https://github.com/advisories/GHSA-5xrq-8626-4rwp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vitest-dev/vitest (vitest)

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

   🐞 Bug Fixes

• Use correct path for optimisation of strip-literal  -  by @​mrginglymus in #​8139 (44940)
• Print uint and buffer as a simple string  -  by @​sheremet-va in #​8141 (b86bf)
• browser:
  • Show a helpful error when spying on an export  -  by @​sheremet-va in #​8178 (56007)
• cli:
  • vitest run --watch should be watch-mode  -  by @​AriPerkkio in #​8128 (657e8)
  • Use absolute path environment on Windows  -  by @​colinaaa in #​8105 (85dc0)
  • Throw error when --shard x/<count> exceeds count of test files  -  by @​AriPerkkio in #​8112 (8a18c)
• coverage:
  • Ignore SCSS in browser mode  -  by @​sheremet-va in #​8161 (0c3be)
• deps:
  • Update all non-major dependencies  -  in #​8123 (93f32)
• expect:
  • Handle async errors in expect.soft  -  by @​lzl0304 in #​8145 (68699)
• pool:
  • Auto-adjust minWorkers when only maxWorkers specified  -  by @​AriPerkkio in #​8110 (14dc0)
• reporter:
  • task.meta should be available in custom reporter's errors  -  by @​AriPerkkio in #​8115 (27df6)
• runner:
  • Preserve handler wrapping on extend  -  by @​pengooseDev in #​8153 (a9281)
• ui:
  • Ensure ui config option works correctly  -  by @​lzl0304 in #​8147 (42eeb)

    View changes on GitHub

v3.2.3

Compare Source

   🚀 Features

• browser: Use base url instead of vitest  -  by @​sheremet-va in #​8126 (1d8eb)
• ui: Show test annotations and metadata in the test report tab  -  by @​sheremet-va in #​8093 (c69be)

   🐞 Bug Fixes

• Rerun tests when project's setup file is changed  -  by @​sheremet-va in #​8097 (0f335)
• Revert expect.any return type  -  by @​sheremet-va in #​8129 (47514)
• Run only the name plugin last, not all config plugins  -  by @​sheremet-va in #​8130 (83862)
• pool:
  • Throw if user's tests use process.send()  -  by @​AriPerkkio in #​8125 (dfe81)
• runner:
  • Fast sequential task updates missing  -  by @​AriPerkkio in #​8121 (7bd11)
  • Comments between fixture destructures  -  by @​AriPerkkio in #​8127 (dc469)
• vite-node:
  • Unable to handle errors where sourcemap mapping empty  -  by @​blake-newman and @​hi-ogawa in #​8071 (8aa25)

    View changes on GitHub

v3.2.2

Compare Source

   🚀 Features

• Support rolldown-vite  -  by @​sheremet-va and @​hi-ogawa in #​7509 (c8d62)

   🐞 Bug Fixes

• browser:
  • Calculate prepare time from createTesters call on the main thread  -  by @​sheremet-va in #​8101 (142c7)
  • Optimize build output and always prebundle vitest  -  by @​sheremet-va (00a39)
  • Make custom locators available in vitest-browser-* packages  -  by @​sheremet-va in #​8103 (247ef)
• expect:
  • Ensure we can always self toEqual  -  by @​dubzzz in #​8094 (02ec8)
• reporter:
  • Allow dot reporter to work in non interactive terminals  -  by @​bstephen1 and @​AriPerkkio in #​7994 (6db9f)

    View changes on GitHub

v3.2.1

Compare Source

   🐞 Bug Fixes

• Use sha1 instead of md5 for hashing  -  by @​sheremet-va (e4c73)
• expect:
  • Fix chai import in dts  -  by @​hi-ogawa in #​8077 (a7593)
  • Export DeeplyAllowMatchers  -  by @​sheremet-va in #​8078 (30ab4)

    View changes on GitHub

v3.2.0

Compare Source

   🚀 Features

• Provide ctx.signal  -  by @​sheremet-va in #​7878 (e761f)
• Support custom colors for test.name  -  by @​AriPerkkio in #​7809 (4af5d)
• Add vi.mockObject to automock any object  -  by @​hi-ogawa and @​sheremet-va in #​7761 (465bd)
• Introduce watchTriggerPatterns option  -  by @​sheremet-va in #​7778 (a0675)
• Deprecate workspace in favor of projects  -  by @​sheremet-va and @​AriPerkkio in #​7923 (41beb)
• Explicit Resource Management support in mocked functions  -  by @​EskiMojo14 in #​7927 (b67d3)
• Add sequence.groupOrder option  -  by @​sheremet-va in #​7852 (d1a1d)
• Initial support for Temporal equality  -  by @​dirkluijk in #​8007 (52bd7)
• Support Vite 7  -  by @​sheremet-va in #​8003 (1716b)
• Track module execution totalTime and selfTime  -  by @​abrenneke in #​8027 (95961)
• Annotation API  -  by @​sheremet-va in #​7953 (b03f2)
• browser:
  • Implement connect option for playwright browser provider  -  by @​egfx-notifications and @​sheremet-va in #​7915 (029c0)
  • Add screenshot.save option  -  by @​sheremet-va in #​7777 (d9f51)
  • Custom locators API  -  by @​sheremet-va in #​7993 (e6fbd)
• coverage:
  • V8 experimental AST-aware remapping  -  by @​AriPerkkio in #​7736 (78a3d)
• reporter:
  • Add onWritePath option to github-actions  -  by @​nwalters512 and @​AriPerkkio in #​8015 (abd3b)
• vitest:
  • Allow per-file and per-worker fixtures  -  by @​sheremet-va and @​AriPerkkio in #​7704 (9cbfc)

   🐞 Bug Fixes

• Replace micromatch with picomatch  -  by @​sapphi-red in #​7951 (df076)
• Try to catch unhandled error outside of a test  -  by @​sheremet-va in #​7968 (46421)
• Generate a separate config for "vitest init browser" instead of a workspace file  -  by @​sheremet-va in #​7934 (e84e2)
• Switch ExpectStatic any types to AsymmetricMatcher<unknown>, with DeeplyAllowMatchers<T>  -  by @​JoshuaKGoldberg in #​7016 (8ec44)
• Remove unused exports  -  by @​sheremet-va in #​7618 (33d05)
• Throw an error if typechecker failed to spawn  -  by @​sheremet-va in #​7990 (0e960)
• Ignore non-string stack properties  -  by @​sheremet-va in #​7995 (330f9)
• Apply browser CLI options only if the project has the browser set in the config already  -  by @​sheremet-va in #​7984 (70358)
• Ensure errors keep their message and stack after toJSON serialisation  -  by @​sheremet-va in #​8053 (3bdf0)
• browser:
  • Resolve FS commands relative to the project root  -  by @​sheremet-va in #​7896 (69ac9)
  • Run tests serially if provider doesn't provide a mocker  -  by @​sheremet-va in #​8032 (227a9)
  • Resolve upload files relative to the project root  -  by @​sheremet-va in #​8042 (b9a31)
  • Await mocker invalidation to avoid race condition with "mock wasn't registered"  -  by @​sheremet-va in #​8021 (b34ff)
  • Share vite cache with the project cache  -  by @​sheremet-va in #​8049 (0cbad)
  • Add this type to locators.extend  -  by @​sheremet-va in #​8069 (70fb0)
• cache:
  • Preserve test results from previous runs  -  by @​macko911 in #​8043 (d6ef0)
• cli:
  • Add built-in reporters list to --help output  -  by @​pengooseDev in #​7955 (ef6ef)
  • Parse --silent values properly  -  by @​AriPerkkio in #​8055 (8fad7)
• coverage:
  • Istanbul provider to not use Vite preserved query params  -  by @​AriPerkkio in #​7939 (a05d4)
  • Browser + v8 in source tests missing  -  by @​AriPerkkio in #​7946 (51cd8)
  • In-source test cases excluded  -  by @​AriPerkkio in #​7985 (407c0)
• dev:
  • Fix relay of custom equality testers  -  by @​StefanLiebscher in #​6140 (6dc1d)
• expect:
  • Unbundle @types/chai  -  by @​hi-ogawa in #​7937 (525f5)
  • Support type-safe declaration of custom matchers  -  by @​kettanaito and @​sheremet-va in #​7656 (e996b)
• reporters:
  • Check the test result again when tests are rerunning  -  by @​sheremet-va in #​8063 (35e31)
• spy:
  • Copy over static properties from the function  -  by @​sheremet-va in #​7780 (9b9f0)
• typecheck:
  • Don't panic during vitest list command  -  by @​sheremet-va in #​7933 (ba6da)
  • Avoid creating a temporary tsconfig file when typechecking  -  by @​sheremet-va in #​7967 (34f43)
• vite-node:
  • Add __vite_ssr_exportName__  -  by @​hi-ogawa in #​7925 (76091)
• vitest:
  • Adjust getWorkerMemoryLimit priority for vmForks  -  by @​pengooseDev in #​7960 (5a91e)
• wdio:
  • Don't scale browser in headless mode  -  by @​sheremet-va in #​8033 (c23b0)

    View changes on GitHub

v3.1.4

Compare Source

   🐞 Bug Fixes

• Apply browser CLI options only if the project has the browser set in the config already  -  by @​sheremet-va in #​8002 (64f2b)

    View changes on GitHub

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
blocksuite	Ready	Preview, Comment	Jun 9, 2026 1:11am