Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE ID: CVE-2025-24963
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vendor: vitest-dev
Product: vitest
http/cves/2025/CVE-2025-24963.yaml
EPSS Score: 0.07% (probability of being exploited)
EPSS Percentile: 31.41% (scored less or equal to compared to others)
EPSS Date: 2025-03-05 (when was this score calculated)