CVE-2025-24963
Browser mode serves arbitrary files in vitest
Severity Score
5.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-01-29 CVE Reserved
- 2025-02-04 CVE Published
- 2025-02-04 CVE Updated
- 2025-02-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130 | X_refsource_misc | |
| https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f | X_refsource_misc | |
| https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5 | X_refsource_confirm | |
| https://vitest.dev/guide/browser/config.html#browser-api | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vitest-dev Search vendor "Vitest-dev" | Vitest Search vendor "Vitest-dev" for product "Vitest" | >= 2.0.4 < 2.1.9 Search vendor "Vitest-dev" for product "Vitest" and version " >= 2.0.4 < 2.1.9" | en |
Affected
| ||||||
| Vitest-dev Search vendor "Vitest-dev" | Vitest Search vendor "Vitest-dev" for product "Vitest" | >= 3.0.0 < 3.0.4 Search vendor "Vitest-dev" for product "Vitest" and version " >= 3.0.0 < 3.0.4" | en |
Affected
| ||||||