CVE-2025-24963: 
JavaScript vulnerability analysis and mitigation

Vitest, a testing framework powered by Vite, contains a vulnerability in versions prior to 2.1.9 and 3.0.4 where the __screenshot-error handler on the browser mode HTTP server responds with any file on the file system. When the server is exposed on the network using browser.api.host: true, an attacker can send a request to that handler remotely to access arbitrary files. This vulnerability was discovered on February 4, 2025 (GitHub Advisory).

The vulnerability exists in the __screenshot-error handler implementation which lacks proper path validation. The handler accepts a file parameter through URL search params and uses it directly to read and serve files from the filesystem. The code was introduced by commit 2d62051. The vulnerability has been assigned a CVSS v3.1 score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with high attack complexity and potential for high confidentiality impact (GitHub Advisory).

When the browser mode server is exposed to the network through browser.api.host: true configuration, an attacker can exploit this vulnerability to read arbitrary files from the system where Vitest is running. This could lead to exposure of sensitive information such as configuration files, source code, or other system files (GitHub Advisory).

The vulnerability has been fixed in versions 2.1.9 and 3.0.4. Users are advised to upgrade to these or later versions. There are no known workarounds for this vulnerability (GitHub Advisory).