CVE-2025-24963
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-24963
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24963.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-24963
- Aliases
- Published
- 2025-02-04T19:36:52.385Z
- Modified
- 2026-01-03T09:49:36.344556Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Browser mode serves arbitrary files in vitest
- Details
-
Vitest is a testing framework powered by Vite. The
__screenshot-errorhandler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network bybrowser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files.This__screenshot-errorhandler on the browser mode HTTP server responds any file on the file system. This code was added by commit2d62051. Users explicitly exposing the browser mode server to the network bybrowser.api.host: truemay get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. - Database specific
{ "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24963.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24963.json
- https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130
- https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f
- https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5
- https://nvd.nist.gov/vuln/detail/CVE-2025-24963
- https://vitest.dev/guide/browser/config.html#browser-api