cbcvebase.
CVE-2025-24963
published 2025-02-04

CVE-2025-24963: Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.29%
81.1th percentile
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

8 ranges
VendorProductVersion rangeFixed in
msrcazl3_apr_1.7.2-1_on_azure_linux_3.0
msrcazl3_apr_1.7.5-1_on_azure_linux_3.0
vitest-devvitest
vitest-devvitest
vitest.devvitest< 2.1.92.1.9
vitest.devvitest>= 3.0.0 < 3.0.43.0.4
vitestbrowser>= 2.0.4 < 2.1.92.1.9
vitestbrowser>= 3.0.0 < 3.0.43.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/__screenshot-error?file=/etc/passwd
path/__screenshot-error
hash2d62051f13b4b0939b2f7e94e88006d830dc4d1f
  • Look for HTTP GET requests to the `/__screenshot-error` path with a `file=` query parameter, especially with path traversal values such as `/etc/passwd` or other sensitive file paths.
  • A successful exploitation response will return HTTP 200 with Content-Type `image/png` and the body will contain the contents of the requested file (e.g., matching `root:.*:0:0:` for /etc/passwd).
  • Vulnerability is only exploitable when the Vitest browser mode server is exposed to the network via `browser.api.host: true`. Monitor for external requests to the Vitest browser mode HTTP server port.
  • ·The vulnerability is only exploitable when the Vitest browser mode server is explicitly exposed to the network. Default configurations (localhost only) are not remotely exploitable.
  • ·Fixed versions are 2.1.9 and 3.0.4. Instances running older versions of Vitest with browser mode enabled and network-exposed are vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.