CVE-2026-47429 Splunk · SPL

Detect CVE-2026-47429: Vitest UI Server Arbitrary File Read and Execution in Splunk

CVE-2026-47429 is a critical missing authorization vulnerability (CWE-862, CVSS 9.8) in the Vitest UI server. When the Vitest UI server is listening, unauthenticated remote attackers can read arbitrary files from the filesystem and execute arbitrary code. Affected versions include Vitest < 3.2.6 and >= 4.0.0, < 4.1.0. A public proof-of-concept exists. Exploitation typically involves sending crafted WebSocket or HTTP requests to the Vitest UI server's RPC endpoint to traverse the filesystem or trigger code execution via the browser plugin's file system command handlers.

MITRE ATT&CK

Tactic
Initial Access Credential Access Execution

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "osquery:results", "stream:http")
| eval is_vitest_process=if(match(process_name, "(?i)node") AND match(command_line, "(?i)(vitest.*--ui|vitest ui|@vitest/ui)"), 1, 0)
| eval is_sensitive_file=if(match(file_path, "(?i)(\.env|id_rsa|id_ed25519|\.pem|\.key|shadow|passwd|credentials|secrets|aws/credentials|config/database)"), 1, 0)
| eval is_vitest_port=if(dest_port IN (51204, 51205, 5173, 5174, 4173), 1, 0)
| where is_vitest_process=1 OR is_vitest_port=1
| eval alert_reason=case(
    is_vitest_process=1 AND is_sensitive_file=1, "Vitest process accessed sensitive file",
    is_vitest_port=1 AND src_ip!="127.0.0.1" AND src_ip!="::1", "Remote connection to Vitest UI port",
    is_vitest_process=1, "Vitest UI process spawned",
    true(), "Vitest UI port activity"
  )
| stats count, values(file_path) as accessed_files, values(src_ip) as source_ips, values(command_line) as commands by host, user, alert_reason
| where (alert_reason="Vitest process accessed sensitive file") OR (alert_reason="Remote connection to Vitest UI port" AND count>1)
| sort -count
critical severity medium confidence

Detects CVE-2026-47429 exploitation patterns including Vitest UI server process activity with sensitive file access and remote connections to Vitest UI default ports from non-loopback addresses.

Data Sources

SysmonLinux AuditosqueryNetwork Proxy Logs

Required Sourcetypes

WinEventLog:Microsoft-Windows-Sysmon/Operationallinux_secureosquery:resultsstream:http

False Positives & Tuning

  • Developers legitimately running vitest --ui locally and accessing config files during test setup
  • Automated test pipelines in CI that expose the UI port within isolated networks
  • Port scanners or security tools probing development server ports in lab environments
  • Monorepo tooling that spawns node processes with broad file access patterns

Other platforms for CVE-2026-47429

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47429 - Vitest UI Arbitrary File Read via RPC

    Expected signal: Network connection from external IP to port 5173; node process file open event for /etc/passwd; WebSocket upgrade request in proxy logs

  2. Test 2CVE-2026-47429 - Vitest UI Credential File Exfiltration Simulation

    Expected signal: Sequence of file open events for multiple sensitive paths initiated by node process; multiple WebSocket messages to Vitest UI port within short timeframe

  3. Test 3CVE-2026-47429 - Vitest UI Remote Code Execution via Test Execution

    Expected signal: Child process spawned by node with shell command arguments; file creation event at /tmp/vitest-rce-proof.txt; Sysmon Event ID 1 for child process of node.exe/node

Last updated: 2026-06-21 Research depth: standard
References (8)

Unlock Pro Content

Get the full detection package for CVE-2026-47429 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1059.007JavaScriptT1552.001Credentials In Files

Same Tactic: Initial Access

Popular Detections