CVE-2025-24963 in vitestinfo

Summary

by MITRE • 02/04/2025

Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/31/2025

This vulnerability exists in Vitest, a popular testing framework built on Vite, where the browser mode HTTP server contains a dangerous file reading handler named `__screenshot-error`. The flaw stems from the server's design to respond to arbitrary file requests through this specific endpoint, which becomes exploitable when the browser mode server is exposed to network access via the configuration parameter `browser.api.host: true`. This configuration allows external network access to the Vitest server, creating a critical security risk that can be exploited by remote attackers to read any file accessible to the server process.

The technical implementation of this vulnerability is particularly concerning as it directly maps HTTP requests to file system operations without proper input validation or access control measures. The `__screenshot-error` handler was introduced through commit `2d62051` and represents a design flaw where the server's file serving mechanism lacks proper sanitization of file paths. When an attacker sends a crafted request to this endpoint, the server attempts to read and return the specified file from the file system, potentially exposing sensitive data including configuration files, source code, environment variables, or other system resources that the server process can access.

The operational impact of this vulnerability is severe for organizations using Vitest in their development workflows, particularly when running tests in browser mode with network exposure enabled. Attackers can leverage this flaw to perform unauthorized file enumeration and data exfiltration, potentially accessing sensitive information such as API keys, database credentials, or application source code. This vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path) categories, representing a classic path traversal vulnerability that has been exacerbated by the server's design to serve arbitrary files. The attack surface expands significantly when developers configure `browser.api.host: true` for remote debugging or testing purposes, as this creates an unintended backdoor for attackers to access the underlying file system.

The vulnerability has been addressed in Vitest versions 2.1.9 and 3.0.4, which implement proper access controls and input validation for the file serving endpoints. Security practitioners should immediately upgrade their Vitest installations to these patched versions to eliminate the risk. The lack of known workarounds means that organizations cannot mitigate this vulnerability through configuration changes alone, making the upgrade the only effective remediation approach. This vulnerability demonstrates the importance of validating all input paths in web applications and highlights the risks associated with exposing development tools to network access without proper security hardening. The issue also relates to ATT&CK technique T1566.001 (Phishing: Spearphishing Attachment) and T1083 (File and Directory Discovery) where attackers can exploit such flaws to gain unauthorized access to system resources and perform reconnaissance activities. Organizations should conduct security reviews of their development environments to ensure that testing frameworks are not inadvertently exposed to external networks and should implement proper network segmentation to prevent unauthorized access to development tooling.

Responsible

GitHub M

Reservation

01/29/2025

Disclosure

02/04/2025

Moderation

accepted

CPE

ready

EPSS

0.02317

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!