Skip to content

[GHSA-5xrq-8626-4rwp] When Vitest UI server is listening, arbitrary file can be read and executed#7883

Open
joevin-slq-docto wants to merge 1 commit into
joevin-slq-docto/advisory-improvement-7883from
joevin-slq-docto-GHSA-5xrq-8626-4rwp
Open

[GHSA-5xrq-8626-4rwp] When Vitest UI server is listening, arbitrary file can be read and executed#7883
joevin-slq-docto wants to merge 1 commit into
joevin-slq-docto/advisory-improvement-7883from
joevin-slq-docto-GHSA-5xrq-8626-4rwp

Conversation

@joevin-slq-docto
Copy link
Copy Markdown

@joevin-slq-docto joevin-slq-docto commented Jun 3, 2026
edited
Loading

Updates

  • Affected products

Comments
GHSA-5xrq-8626-4rwp should be updated with GHSA-5xrq-8626-4rwp data. The fix has also been backported to 3.2.5.

@github
Copy link
Copy Markdown
Collaborator

github commented Jun 3, 2026

Hi there @hi-ogawa! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings June 3, 2026 09:57
Copilot AI reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates a GitHub-reviewed security advisory by extending the affected version ranges for the vitest npm package.

Changes:

  • Bumped the advisory modified timestamp.
  • Added two new affected entries for npm:vitest with different fixed versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread advisories/github-reviewed/2026/06/GHSA-5xrq-8626-4rwp/GHSA-5xrq-8626-4rwp.json
Comment on lines +36 to 74
},
{
"package": {
"ecosystem": "npm",
"name": "vitest"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
]
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "vitest"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.5"
}
]
}
]
}
Copy link
Copy Markdown
Author

@joevin-slq-docto joevin-slq-docto Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we should have this:

  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vitest"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.5"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vitest"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.0"
            }
          ]
        }
      ]
    }
  ],

@github-actions github-actions Bot changed the base branch from main to joevin-slq-docto/advisory-improvement-7883 June 3, 2026 09:58
joevin-slq-docto
joevin-slq-docto commented Jun 3, 2026
View reviewed changes
Comment thread advisories/github-reviewed/2026/06/GHSA-5xrq-8626-4rwp/GHSA-5xrq-8626-4rwp.json
"introduced": "0"
},
{
"fixed": "4.1.0"
Copy link
Copy Markdown
Author

@joevin-slq-docto joevin-slq-docto Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"fixed": "3.2.5"

Comment thread advisories/github-reviewed/2026/06/GHSA-5xrq-8626-4rwp/GHSA-5xrq-8626-4rwp.json
Comment on lines +37 to +55
{
"package": {
"ecosystem": "npm",
"name": "vitest"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
]
}
]
},
Copy link
Copy Markdown
Author

@joevin-slq-docto joevin-slq-docto Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{
"package": {
"ecosystem": "npm",
"name": "vitest"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
]
}
]
},

Comment thread advisories/github-reviewed/2026/06/GHSA-5xrq-8626-4rwp/GHSA-5xrq-8626-4rwp.json
Comment on lines +66 to +69
"introduced": "0"
},
{
"fixed": "3.2.5"
Copy link
Copy Markdown
Author

@joevin-slq-docto joevin-slq-docto Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"introduced": "0"
},
{
"fixed": "3.2.5"
"introduced": "4.0.0"
},
{
"fixed": "4.1.0"

Copy link
Copy Markdown

@t1m0thyj t1m0thyj Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is 4.1.0 accurate? Other tools report 4.1.6 for the fixed version: https://security.snyk.io/package/npm/vitest/versions?page=1

@joevin-slq-docto
Copy link
Copy Markdown
Author

joevin-slq-docto commented Jun 3, 2026

It's very similar with #7881

@t1m0thyj t1m0thyj mentioned this pull request Jun 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@t1m0thyj t1m0thyj t1m0thyj left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@joevin-slq-docto @github @t1m0thyj