Description

Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2025-02-04T19:36:52.385Z

Last Modified :

2025-02-12T20:51:28.011Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-24963 vulnerability.

Vendors Products
Vitest.dev
  • Vitest
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-24963.

URL Resource
https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130 cve-icon cve-icon
https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f cve-icon cve-icon
https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5 cve-icon cve-icon
https://vitest.dev/guide/browser/config.html#browser-api cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact