Directory Traversal Vulnerability in Vitest Testing Framework
CVE-2025-24963

5.9MEDIUM

Key Information:

Vendor
Vitest-dev
Status
Vitest
Vendor
CVE Published:
4 February 2025

Summary

The Vitest testing framework contains a directory traversal vulnerability in the __screenshot-error handler of its browser mode HTTP server. When the server is accessed over a network with browser.api.host: true, an attacker can exploit this vulnerability to send requests and potentially retrieve arbitrary files from the file system. This exposes sensitive information and poses a significant security risk. Users are strongly cautioned to upgrade to versions 2.1.9 or 3.0.4, as there are currently no known workarounds for this vulnerability.

Affected Version(s)

vitest >= 2.0.4, < 2.1.9 < 2.0.4, 2.1.9

vitest >= 3.0.0, < 3.0.4 < 3.0.0, 3.0.4

References

https://github.com/vitest-dev/vitest/security/advisories/...
x_refsource_CONFIRM
https://github.com/vitest-dev/vitest/commit/2d62051f13b4b...
x_refsource_MISC
https://github.com/vitest-dev/vitest/blob/f17918a79969d27...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.