First published: Tue Feb 04 2025(Updated: )
### Summary `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api), an attacker can send a request to that handler from remote to get the content of arbitrary files. ### Details This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130 This code was added by https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f. ### PoC 1. Create a directory and change the current directory to that directory 1. Run `npx vitest init browser` 1. Run `npm run test:browser` 2. Run `curl http://localhost:63315/__screenshot-error?file=/path/to/any/file` ### Impact Users explicitly exposing the browser mode server to the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api) may get any files exposed.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/@vitest/browser | >=3.0.0<3.0.4 | 3.0.4 |
npm/@vitest/browser | >=2.0.4<2.1.9 | 2.1.9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-24963 has a high severity due to the potential for unauthorized file access if the vulnerable server is exposed.
To fix CVE-2025-24963, upgrade the @vitest/browser package to version 3.0.4 or 2.1.9.
CVE-2025-24963 affects @vitest/browser versions from 2.0.4 to 2.1.9 and from 3.0.0 to 3.0.4.
Exploiting CVE-2025-24963 can allow an attacker to access any file on the file system of the server.
CVE-2025-24963 is particularly vulnerable if the 'browser.api.host' configuration is set to true.