CVE-2025-24963
published 2025-02-04CVE-2025-24963: Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.29%
81.1th percentile
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_apr_1.7.2-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_apr_1.7.5-1_on_azure_linux_3.0 | — | — |
| vitest-dev | vitest | — | — |
| vitest-dev | vitest | — | — |
| vitest.dev | vitest | < 2.1.9 | 2.1.9 |
| vitest.dev | vitest | >= 3.0.0 < 3.0.4 | 3.0.4 |
| vitest | browser | >= 2.0.4 < 2.1.9 | 2.1.9 |
| vitest | browser | >= 3.0.0 < 3.0.4 | 3.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP GET requests to the `/__screenshot-error` path with a `file=` query parameter, especially with path traversal values such as `/etc/passwd` or other sensitive file paths. ↗
- →A successful exploitation response will return HTTP 200 with Content-Type `image/png` and the body will contain the contents of the requested file (e.g., matching `root:.*:0:0:` for /etc/passwd). ↗
- →Vulnerability is only exploitable when the Vitest browser mode server is exposed to the network via `browser.api.host: true`. Monitor for external requests to the Vitest browser mode HTTP server port. ↗
- ·The vulnerability is only exploitable when the Vitest browser mode server is explicitly exposed to the network. Default configurations (localhost only) are not remotely exploitable. ↗
- ·Fixed versions are 2.1.9 and 3.0.4. Instances running older versions of Vitest with browser mode enabled and network-exposed are vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vitest browser mode serves arbitrary files
ghsa·2025-02-04
CVE-2025-24963 [MEDIUM] CWE-22 Vitest browser mode serves arbitrary files
Vitest browser mode serves arbitrary files
### Summary
`__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api), an attacker can send a request to that handler from remote to get the content of arbitrary files.
### Details
This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system.
https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130
This code was added by https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f.
### PoC
1. Create a directory and change the c
OSV
Vitest browser mode serves arbitrary files
osv·2025-02-04
CVE-2025-24963 [MEDIUM] Vitest browser mode serves arbitrary files
Vitest browser mode serves arbitrary files
### Summary
`__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api), an attacker can send a request to that handler from remote to get the content of arbitrary files.
### Details
This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system.
https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130
This code was added by https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f.
### PoC
1. Create a directory and change the c
VulnCheck
vitest.dev vitest Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 7.5
CVE-2025-24963 [HIGH] vitest.dev vitest Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vitest.dev vitest Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no kno
Microsoft
Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions
vendor_msrc·2023-01-10·CVSS 9.8
CVE-2022-24963 [CRITICAL] CWE-190 Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions
Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
apache: apache
Customer Action Required: Yes
Remediation: CBL-Mariner
No detection rules found.
Nuclei
Vitest Browser Mode - Local File Read
nuclei·CVSS 7.5
CVE-2025-24963 [HIGH] Vitest Browser Mode - Local File Read
Vitest Browser Mode - Local File Read
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host- true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host- true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Template:
id: CVE-
No writeups or analysis indexed.
https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1fhttps://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5https://vitest.dev/guide/browser/config.html#browser-api
2025-02-04
Published
Exploited in the wild