CVE-2025-24963

Name of the Vulnerable Software and Affected Versions: Vitest versions prior to 2.1.9 Vitest versions prior to 3.0.4

Description: The screenshot-error handler on the browser mode HTTP server responds to any file on the file system. If the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files. This issue allows attackers to read arbitrary files on the system.

Recommendations: For versions prior to 2.1.9, update to version 2.1.9 or later. For versions prior to 3.0.4, update to version 3.0.4 or later. As a temporary workaround, consider disabling the browser.api.host: true configuration to prevent exposure of the browser mode server to the network. Restrict access to the screenshot-error handler to minimize the risk of exploitation. Avoid using the file parameter in the screenshot-error handler until the issue is resolved.