CVE-2026-47429 Google Chronicle · YARA-L

Detect CVE-2026-47429: Vitest UI Server Arbitrary File Read and Execution in Google Chronicle

CVE-2026-47429 is a critical missing authorization vulnerability (CWE-862, CVSS 9.8) in the Vitest UI server. When the Vitest UI server is listening, unauthenticated remote attackers can read arbitrary files from the filesystem and execute arbitrary code. Affected versions include Vitest < 3.2.6 and >= 4.0.0, < 4.1.0. A public proof-of-concept exists. Exploitation typically involves sending crafted WebSocket or HTTP requests to the Vitest UI server's RPC endpoint to traverse the filesystem or trigger code execution via the browser plugin's file system command handlers.

MITRE ATT&CK

Tactic
Initial Access Credential Access Execution

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2026_47429_vitest_ui_arbitrary_file_read {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-47429 Vitest UI server arbitrary file read and execution"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp"

  events:
    $process.metadata.event_type = "PROCESS_LAUNCH"
    $process.principal.process.file.full_path = /node(|\.exe)$/
    (
      $process.target.process.command_line = /vitest/ and
      $process.target.process.command_line = /--ui|ui/
    )
    $process.principal.hostname = $hostname

    $network.metadata.event_type = "NETWORK_CONNECTION"
    $network.target.port in (51204, 51205, 5173, 5174, 4173)
    not $network.principal.ip in ("127.0.0.1", "::1")
    $network.principal.hostname = $hostname

    $file.metadata.event_type = "FILE_OPEN"
    $file.target.file.full_path = /(\.env$|id_rsa$|id_ed25519$|\.pem$|shadow$|passwd$|credentials|secrets|\.aws)/
    $file.principal.hostname = $hostname

  condition:
    $process and $network and $file
}
critical severity high confidence

Chronicle YARA-L 2.0 rule correlating Vitest UI process launch, remote network connection to Vitest ports, and sensitive file access on the same host to detect CVE-2026-47429 exploitation.

Data Sources

Chronicle UDMGoogle Workspace AuditEDR Telemetry

Required Tables

UDM Events

False Positives & Tuning

  • Authorized developer workstations running vitest --ui with access to project secrets during local development
  • Containerized CI environments where internal routing makes connections appear non-loopback
  • Security red team exercises explicitly targeting Vitest UI instances in lab environments
  • Monorepo CI pipelines where Vitest accesses shared credential files across sub-packages

Other platforms for CVE-2026-47429

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47429 - Vitest UI Arbitrary File Read via RPC

    Expected signal: Network connection from external IP to port 5173; node process file open event for /etc/passwd; WebSocket upgrade request in proxy logs

  2. Test 2CVE-2026-47429 - Vitest UI Credential File Exfiltration Simulation

    Expected signal: Sequence of file open events for multiple sensitive paths initiated by node process; multiple WebSocket messages to Vitest UI port within short timeframe

  3. Test 3CVE-2026-47429 - Vitest UI Remote Code Execution via Test Execution

    Expected signal: Child process spawned by node with shell command arguments; file creation event at /tmp/vitest-rce-proof.txt; Sysmon Event ID 1 for child process of node.exe/node

Last updated: 2026-06-21 Research depth: standard
References (8)

Unlock Pro Content

Get the full detection package for CVE-2026-47429 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1059.007JavaScriptT1552.001Credentials In Files

Same Tactic: Initial Access

Popular Detections