CVE-2025-24963

moderate-risk
Published 2025-02-04

Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Do I need to act?

!
23.6% chance of exploitation in next 30 days
EPSS score — higher than 76% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Vitest.Dev

References (4)

Product https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e...
Patch https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc...
Vendor Advisory https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5
Product https://vitest.dev/guide/browser/config.html#browser-api
37
/ 100
moderate-risk
Severity 18/34 · Moderate
Exploitability 14/34 · Moderate
Exposure 5/34 · Minimal