Sign up for FREE to recieve instant alerts about this vulnerability!
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
EPSS Score: 0.07% (probability of being exploited)
EPSS Percentile: 0.31115 (how common is this exploit)
EPSS Date: 2025-02-16 (when was this score calculated)
CVE ID: CVE-2025-24963
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vendor: vitest-dev
Product: vitest