CVE-2025-24963
Published: 04 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24963 is a path traversal vulnerability (CWE-22) in Vitest, a Vite-powered testing framework. The issue affects the browser mode HTTP server, specifically the `__screenshot-error` handler, which responds with the contents of arbitrary files on the file system. This flaw was introduced by commit `2d62051` in the `packages/browser/src/node/plugin.ts` file and impacts users running Vitest in browser mode.
An attacker can exploit this vulnerability remotely if the browser mode server is explicitly exposed on the network via the `browser.api.host: true` configuration. By sending a crafted request to the `__screenshot-error` handler, the attacker can read the contents of any file accessible to the server process, achieving high confidentiality impact with no privileges required, though exploitation requires high attack complexity. The CVSS v3.1 base score is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
The Vitest security advisory (GHSA-8gvc-j273-4wm5) confirms the issue has been addressed in versions 2.1.9 and 3.0.4, advising users to upgrade immediately. No workarounds are available. Additional details are in the Vitest browser configuration documentation and the fixing commit.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in exposed browser mode HTTP server enables remote exploitation of public-facing application (T1190) to read arbitrary local files (T1005).