CVE-2026-47428: Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
Vitest browser mode served /__vitest_test__/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest server origin.
References
- github.com/advisories/GHSA-2h32-95rg-cppp
- github.com/vitest-dev/vitest/blob/cba2036a197ec8ed42c35a37db78ef07192202c7/packages/browser/src/client/public/esm-client-injector.js
- github.com/vitest-dev/vitest/blob/cba2036a197ec8ed42c35a37db78ef07192202c7/packages/browser/src/node/serverOrchestrator.ts
- github.com/vitest-dev/vitest/security/advisories/GHSA-2h32-95rg-cppp
- nvd.nist.gov/vuln/detail/CVE-2026-47428
Code Behaviors & Features
Detect and mitigate CVE-2026-47428 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →