CVE-2025-24963: Vitest browser mode serves arbitrary files
__screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files.
References
- github.com/advisories/GHSA-8gvc-j273-4wm5
- github.com/vitest-dev/vitest
- github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f
- github.com/vitest-dev/vitest/commit/ed9aeba212df04b83ed01810780663ff2cdd0adf
- github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5
- nvd.nist.gov/vuln/detail/CVE-2025-24963
Detect and mitigate CVE-2025-24963 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →