CVE-2025-24963 Scanner
CVE-2025-24963 Scanner - Arbitrary File Read vulnerability in Vitest Browser Mode
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
1 week 11 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Vitest Browser Mode is a feature of the Vitest testing framework, designed for executing tests in a browser environment. It allows developers to run automated tests on their frontend applications and components. The framework is commonly used in web development for unit and integration testing. It integrates with Vite, a modern build tool, to provide a fast and efficient testing experience. Developers use Vitest for ensuring code quality and stability in JavaScript and TypeScript projects. The browser mode can be exposed to a network, allowing remote access for distributed testing.
The Arbitrary File Read vulnerability in Vitest Browser Mode allows unauthorized access to system files. The flaw resides in the `__screenshot-error` handler, which exposes arbitrary files when the browser mode HTTP server is accessible over the network. If the server is configured with `browser.api.host- true`, attackers can send specially crafted requests to retrieve sensitive files. The vulnerability occurs due to improper access control on file requests. Exploiting this issue could lead to information disclosure, including system credentials and configuration files. The affected versions are those before 2.1.9 and 3.0.4.
The vulnerability is caused by the improper handling of file retrieval requests in the `__screenshot-error` handler. Attackers can send a request with a file path parameter to gain access to arbitrary system files. Since the affected endpoint does not properly restrict file access, it allows reading files from the file system. If the server is publicly exposed, remote attackers can exploit this to retrieve sensitive information. The vulnerability was introduced in commit `2d62051`, which added this insecure functionality. The issue has been fixed in versions 2.1.9 and 3.0.4.
Exploiting this vulnerability can lead to serious security risks. Attackers can retrieve system files containing credentials, API keys, or other sensitive information. Unauthorized access to configuration files can expose details about the application’s internal structure. If attackers gain access to private application data, it can lead to further exploits and privilege escalation. In some cases, the exposure of critical system files may enable remote code execution when combined with other vulnerabilities. Organizations running affected versions should upgrade immediately to mitigate the risk.
REFERENCES
- https://github.com/advisories/GHSA-8gvc-j273-4wm5
- https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130
- https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f
- https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5
- https://vitest.dev/guide/browser/config.html#browser-api
- https://nvd.nist.gov/vuln/detail/CVE-2025-24963
