← Back to CVE List

CVE-2025-24963

Published: 2025-02-04T20:15Z
Last Modified: 2025-02-04T20:15Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt