Fluid Attacks Database

Description

Vitest browser mode serves arbitrary files

Summary

__screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files.

Details

This __screenshot-error handler on the browser mode HTTP server responds any file on the file system. https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130

This code was added by https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f.

PoC

Create a directory and change the current directory to that directory

Run npx vitest init browser

Run npm run test:browser

Run curl http://localhost:63315/__screenshot-error?file=/path/to/any/file

Impact

Users explicitly exposing the browser mode server to the network by browser.api.host: true may get any files exposed.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@vitest/browser	>=2.0.4 <2.1.9 \|\| >=3.0.0 <3.0.4	2.1.9, 3.0.4

Aliases

1. CVE-2025-249632. NVD-2025-249633. OSV-2025-249634. GHSA-8gvc-j273-4wm55. GCVE-2025-24963

References

1. https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm52. https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f3. https://github.com/vitest-dev/vitest/commit/ed9aeba212df04b83ed01810780663ff2cdd0adf4. https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L1305. https://vitest.dev/guide/browser/config.html#browser-api6. https://vulncheck.com/cve/CVE-2025-249637. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24963.yaml8. https://github.com/hiteshpatra/CVE-2025-24963