5.9

CVSS Score

Basic Information

CVE ID

CVE-2025-24963

GHSA ID

GHSA-8gvc-j273-4wm5

EPSS Score

CWE

CWE-22

Published

2/4/2025

Updated

2/4/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24963

CVE-2025-24963:
Vitest browser mode serves arbitrary files

Summary

__screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files.

Details

This __screenshot-error handler on the browser mode HTTP server responds any file on the file system. https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130

This code was added by https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f.

PoC

Create a directory and change the current directory to that directory
Run npx vitest init browser
Run npm run test:browser
Run curl http://localhost:63315/__screenshot-error?file=/path/to/any/file

Impact

Users explicitly exposing the browser mode server to the network by browser.api.host: true may get any files exposed.

(GitHub Advisory)

5.9

CVSS Score

Basic Information

CVE ID

CVE-2025-24963

GHSA ID

GHSA-8gvc-j273-4wm5

EPSS Score

CWE

CWE-22

Published

2/4/2025

Updated

2/4/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@vitest/browser	npm	>= 2.0.4, < 2.1.9	2.1.9
@vitest/browser	npm	>= 3.0.0, < 3.0.4	3.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the __screenshot-error handler added in commit 2d62051. The function:- 1. Takes a 'file' query parameter directly from user input- 2. Uses lstatSync/fileReadSync without validating against allowed paths- 3. Serves file contents with image MIME types regardless of actual file type- 4. Exposes any file when combined with browser.api.host=true configuration.The patch in commit ed9aeba212df04b83ed01810780663ff2cdd0adf fixes this by replacing 'file' parameter with 'id' that references internal test metadata rather than direct path access, confirming this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry `__s*r**ns*ot-*rror` **n*l*r on t** *rows*r mo** *TTP s*rv*r t**t r*spon*s *ny *il* on t** *il* syst*m. *sp**i*lly i* t** s*rv*r is *xpos** on t** n*twork *y [`*rows*r.*pi.*ost: tru*`](*ttps://vit*st.**v/*ui**/*rows*r/*on*i*.*tml#*rows*r-

Reasoning

T** vuln*r**ility st*ms *rom t** __s*r**ns*ot-*rror **n*l*r ***** in *ommit *******. T** *un*tion:- *. T*k*s * '*il*' qu*ry p*r*m*t*r *ir**tly *rom us*r input- *. Us*s lst*tSyn*/*il*R***Syn* wit*out v*li**tin* ***inst *llow** p*t*s- *. S*rv*s *il* *o

5.9

Basic Information

Concerned about an active attack path?

CVE-2025-24963: Vitest browser mode serves arbitrary files

Summary

Details

PoC

Impact

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-24963:
Vitest browser mode serves arbitrary files

Vulnerability Intelligence
Miggo AI