CVE-2025-24963 Overview
CVE-2025-24963 is a Path Traversal vulnerability in Vitest, a popular testing framework powered by Vite. The vulnerability exists in the __screenshot-error handler on the browser mode HTTP server, which improperly responds with any file on the file system when requested. When the server is exposed on the network by setting browser.api.host: true, an attacker can send crafted requests to this handler from a remote location to retrieve the contents of arbitrary files on the target system.
Critical Impact
Remote attackers can read sensitive files from the file system, potentially exposing credentials, configuration files, source code, and other confidential data on systems running Vitest with browser mode exposed to the network.
Affected Products
- Vitest versions prior to 2.1.9
- Vitest versions 3.x prior to 3.0.4
- Systems with browser.api.host: true configuration enabled
Discovery Timeline
- 2025-02-04 - CVE-2025-24963 published to NVD
- 2025-12-31 - Last updated in NVD database
Technical Details for CVE-2025-24963
Vulnerability Analysis
This Path Traversal vulnerability allows unauthenticated remote attackers to read arbitrary files from the file system of servers running Vitest in browser mode. The vulnerability stems from insufficient input validation in the __screenshot-error endpoint, which was introduced in commit 2d62051. When the browser mode HTTP server is exposed to the network via the browser.api.host: true configuration setting, attackers can craft malicious requests to traverse outside the intended directory structure and access sensitive files.
The attack requires no authentication or user interaction and can be performed remotely over the network. Successful exploitation results in complete confidentiality breach, allowing attackers to exfiltrate sensitive data including application source code, environment files containing secrets, SSH keys, and other confidential information stored on the affected system.
Root Cause
The root cause is a classic CWE-22 (Path Traversal) vulnerability where the __screenshot-error handler fails to properly validate and sanitize file path inputs before serving file contents. The vulnerable code accepts user-supplied path parameters without adequately restricting access to files within a safe directory boundary, allowing directory traversal sequences to escape the intended file scope.
Attack Vector
The attack is conducted over the network against Vitest instances running in browser mode with the server explicitly exposed via browser.api.host: true. An attacker can send HTTP requests to the __screenshot-error endpoint with path traversal sequences (such as ../) to navigate the file system and retrieve arbitrary files. The attack requires no privileges or authentication, making it particularly dangerous for exposed development or CI/CD environments.
// Security patch showing changes to packages/browser/src/node/plugin.ts
// Source: https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f
import { fileURLToPath } from 'node:url'
import { createRequire } from 'node:module'
-import { readFileSync } from 'node:fs'
-import { basename, resolve } from 'pathe'
+import { lstatSync, readFileSync } from 'node:fs'
+import type { Stats } from 'node:fs'
+import { basename, extname, resolve } from 'pathe'
import sirv from 'sirv'
import type { WorkspaceProject } from 'vitest/node'
import { getFilePoolName, resolveApiServerConfig, resolveFsAllow, distDir as vitestDist } from 'vitest/node'
Detection Methods for CVE-2025-24963
Indicators of Compromise
- Unusual HTTP requests to __screenshot-error endpoints containing path traversal sequences (../, ..%2f, etc.)
- Access logs showing requests attempting to retrieve system files like /etc/passwd, .env, or SSH keys
- Unexpected network connections to Vitest browser mode server from external IP addresses
- High volume of file read operations from the Vitest process to sensitive directories
Detection Strategies
- Monitor HTTP access logs for requests containing directory traversal patterns targeting the __screenshot-error handler
- Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts
- Review Vitest configuration files for instances where browser.api.host: true is set
- Deploy file integrity monitoring on sensitive files to detect unauthorized access
Monitoring Recommendations
- Enable verbose logging on Vitest servers exposed to the network to capture all incoming requests
- Implement network segmentation to isolate development and testing environments from untrusted networks
- Set up alerts for any external access attempts to ports commonly used by Vitest browser mode
How to Mitigate CVE-2025-24963
Immediate Actions Required
- Upgrade Vitest to version 2.1.9 or later (for 2.x users) or version 3.0.4 or later (for 3.x users)
- Disable network exposure by removing or setting browser.api.host: false in Vitest configuration until patched
- Audit any systems that may have been exposed to determine if unauthorized file access occurred
- Implement network-level access controls to restrict access to Vitest servers to trusted sources only
Patch Information
The vulnerability has been addressed in Vitest versions 2.1.9 and 3.0.4. Users should upgrade to these versions or later immediately. The patch introduces proper path validation using lstatSync and additional path handling with extname to prevent arbitrary file access through the __screenshot-error endpoint.
For detailed patch information, refer to the GitHub Security Advisory GHSA-8gvc-j273-4wm5 and the commit details.
Workarounds
- There are no known workarounds for this vulnerability according to the vendor advisory
- As a temporary measure, ensure browser.api.host is not set to true to prevent network exposure
- Use firewall rules to block external access to the Vitest browser mode server port
- Run Vitest in isolated network environments where external access is not possible
# Configuration example - Ensure browser API is not exposed to network
# In vitest.config.ts or vitest.config.js, verify or add:
# browser: {
# api: {
# host: false // Do not expose to network
# }
# }
# Verify current Vitest version and upgrade if vulnerable
npm list vitest
npm update vitest@latest
# Or for specific version upgrade
npm install vitest@2.1.9 # For 2.x users
npm install vitest@3.0.4 # For 3.x users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
