CVE-2026-47429: Vitest UI Server Arbitrary File Read and Execution

let VitestPorts = dynamic([51204, 51205, 5173, 5174, 4173]);
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (
    (ActionType == "InboundConnectionAccepted" and LocalPort in (VitestPorts))
    or
    (FileName in~ ("node", "node.exe") and ProcessCommandLine has_any ("vitest", "--ui", "vitest/ui"))
  )
| extend IsVitestUI = ProcessCommandLine has "--ui" or ProcessCommandLine has "vitest ui"
| join kind=leftouter (
    DeviceFileEvents
    | where TimeGenerated > ago(24h)
    | where InitiatingProcessFileName in~ ("node", "node.exe")
    | where FolderPath !startswith "C:\\Users" or FolderPath has_any (".env", "id_rsa", "passwd", "shadow", "/etc/")
    | project FileAccessTime=TimeGenerated, DeviceId, AccessedPath=FolderPath, InitiatingProcessCommandLine
) on DeviceId
| where isnotempty(AccessedPath)
| project TimeGenerated, DeviceName, ProcessCommandLine, AccessedPath, InitiatingProcessCommandLine, LocalPort
| extend RiskScore = case(
    AccessedPath has_any (".env", "id_rsa", "id_ed25519", ".pem", "shadow", "passwd", "credentials", "secrets"), 100,
    AccessedPath has_any ("/etc/", "C:\\Windows\\System32"), 80,
    50
  )
| where RiskScore >= 50
| order by RiskScore desc

index=* sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "osquery:results", "stream:http")
| eval is_vitest_process=if(match(process_name, "(?i)node") AND match(command_line, "(?i)(vitest.*--ui|vitest ui|@vitest/ui)"), 1, 0)
| eval is_sensitive_file=if(match(file_path, "(?i)(\.env|id_rsa|id_ed25519|\.pem|\.key|shadow|passwd|credentials|secrets|aws/credentials|config/database)"), 1, 0)
| eval is_vitest_port=if(dest_port IN (51204, 51205, 5173, 5174, 4173), 1, 0)
| where is_vitest_process=1 OR is_vitest_port=1
| eval alert_reason=case(
    is_vitest_process=1 AND is_sensitive_file=1, "Vitest process accessed sensitive file",
    is_vitest_port=1 AND src_ip!="127.0.0.1" AND src_ip!="::1", "Remote connection to Vitest UI port",
    is_vitest_process=1, "Vitest UI process spawned",
    true(), "Vitest UI port activity"
  )
| stats count, values(file_path) as accessed_files, values(src_ip) as source_ips, values(command_line) as commands by host, user, alert_reason
| where (alert_reason="Vitest process accessed sensitive file") OR (alert_reason="Remote connection to Vitest UI port" AND count>1)
| sort -count

sequence by host.name with maxspan=5m
  [process where event.type == "start"
    and process.name in ("node", "node.exe")
    and process.args : ("*vitest*", "*@vitest/ui*")
    and process.args : ("*--ui*", "*ui*")]
  [network where event.type == "connection"
    and network.direction == "ingress"
    and destination.port in (51204, 51205, 5173, 5174, 4173)
    and not source.ip in ("127.0.0.1", "::1", "0:0:0:0:0:0:0:1")]
  [file where event.type in ("open", "read", "access")
    and file.path : ("*/.env", "*/id_rsa", "*/id_ed25519", "*/.pem", "*/shadow", "*/passwd", "*/credentials", "*/secrets*", "*/.aws/*")]

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "File Path" AS file_path,
  QIDNAME(qid) AS event_name
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux OS', 'Sysmon')
  AND (
    (
      "Process Name" ILIKE '%node%'
      AND "Command" ILIKE '%vitest%'
      AND "Command" ILIKE '%ui%'
    )
    OR destinationport IN (51204, 51205, 5173, 5174, 4173)
  )
  AND (
    "File Path" ILIKE '%.env%'
    OR "File Path" ILIKE '%id_rsa%'
    OR "File Path" ILIKE '%id_ed25519%'
    OR "File Path" ILIKE '%shadow%'
    OR "File Path" ILIKE '%passwd%'
    OR "File Path" ILIKE '%credentials%'
    OR "File Path" ILIKE '%secrets%'
    OR "File Path" ILIKE '%aws/credentials%'
    OR (sourceip NOT IN ('127.0.0.1', '::1') AND destinationport IN (51204, 51205, 5173, 5174, 4173))
  )
LAST 24 HOURS
ORDER BY starttime DESC

_sourceCategory=* (node OR vitest)
| where _raw matches "(?i)(vitest.*--ui|vitest ui|@vitest/ui)"
| parse regex field=_raw "(?P<file_path>[/\\][^\s"']+(?:\.env|id_rsa|id_ed25519|\.pem|shadow|passwd|credentials|secrets)[^\s"']*)" nodrop
| parse regex field=_raw "(?P<source_ip>\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)" nodrop
| parse regex field=_raw "(?:port|:)\s*(?P<dest_port>5120[34]|5173|5174|4173)" nodrop
| eval is_sensitive_access = if(!isNull(file_path) AND file_path != "", "true", "false")
| eval is_remote_access = if(!isNull(source_ip) AND source_ip != "127.0.0.1" AND source_ip != "::1" AND !isNull(dest_port), "true", "false")
| where is_sensitive_access = "true" OR is_remote_access = "true"
| eval alert_type = if(is_sensitive_access = "true" AND is_remote_access = "true", "Critical: Remote exploit with sensitive file access",
    if(is_sensitive_access = "true", "High: Sensitive file accessed via Vitest",
    "Medium: Remote connection to Vitest UI port"))
| count by _sourceHost, alert_type, file_path, source_ip
| order by _count desc

rule cve_2026_47429_vitest_ui_arbitrary_file_read {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-47429 Vitest UI server arbitrary file read and execution"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp"

  events:
    $process.metadata.event_type = "PROCESS_LAUNCH"
    $process.principal.process.file.full_path = /node(|\.exe)$/
    (
      $process.target.process.command_line = /vitest/ and
      $process.target.process.command_line = /--ui|ui/
    )
    $process.principal.hostname = $hostname

    $network.metadata.event_type = "NETWORK_CONNECTION"
    $network.target.port in (51204, 51205, 5173, 5174, 4173)
    not $network.principal.ip in ("127.0.0.1", "::1")
    $network.principal.hostname = $hostname

    $file.metadata.event_type = "FILE_OPEN"
    $file.target.file.full_path = /(\.env$|id_rsa$|id_ed25519$|\.pem$|shadow$|passwd$|credentials|secrets|\.aws)/
    $file.principal.hostname = $hostname

  condition:
    $process and $network and $file
}

#event_simpleName IN (ProcessRollup2, NetworkConnectIP4, NetworkConnectIP6, FileOpenInfo)
| ImageFileName = /node(\.exe)?$/i
| CommandLine = /vitest/i AND CommandLine = /(--ui|vitest ui)/i
| groupBy([aid, ComputerName, UserName], function=[
    collect(CommandLine, limit=10),
    collect(RemoteIP, limit=10),
    collect(RemotePort, limit=10),
    collect(TargetFileName, limit=20),
    count()
  ])
| RemotePort IN (51204, 51205, 5173, 5174, 4173)
| NOT RemoteIP IN ("127.0.0.1", "::1", "0:0:0:0:0:0:0:1")
| TargetFileName = /(\.env$|id_rsa|id_ed25519|\.pem|shadow|passwd|credentials|secrets|\.aws\/credentials)/i
| eval RiskLevel = if(TargetFileName matches /(\.env|id_rsa|id_ed25519|\.pem|aws)/, "CRITICAL", "HIGH")
| sort(-RiskLevel, -count)
| rename ComputerName AS hostname, UserName AS affected_user