Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24963 PoC — Vitest 路径遍历漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24963.yaml
Associated Vulnerability
Title:Vitest 路径遍历漏洞 (CVE-2025-24963)
Description:Vitest是Vitest开源的一个 Vite 支持的下一代测试框架。 Vitest存在路径遍历漏洞,该漏洞源于浏览器模式HTTP服务器上的__screenshot-error处理程序可响应文件系统上的任何文件。
Description
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host- true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host- true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
File Snapshot

 id: CVE-2025-24963

info:
  name: Vitest Browser Mode - Local File Read
  author: iamnoooob,rootxhar

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.