Skip to content

Browser mode serves arbitrary files

Moderate
sheremet-va published GHSA-8gvc-j273-4wm5 Feb 4, 2025

Package

npm vitest (npm)

Affected versions

>=2.0.4, <=2.1.8
>=3.0.0, <= 3.0.3

Patched versions

>=2.1.9, <3.0.0
>=3.0.4

Description

Summary

__screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files.

Details

This __screenshot-error handler on the browser mode HTTP server responds any file on the file system.

vitest/packages/browser/src/node/plugin.ts

Lines 88 to 130 in f17918a

server.middlewares.use(`${base}__screenshot-error`, function vitestBrowserScreenshotError(req, res) {
if (!req.url) {
res.statusCode = 404
res.end()
return
}
const url = new URL(req.url, 'http://localhost')
const file = url.searchParams.get('file')
if (!file) {
res.statusCode = 404
res.end()
return
}
let stat: Stats | undefined
try {
stat = lstatSync(file)
}
catch {
}
if (!stat?.isFile()) {
res.statusCode = 404
res.end()
return
}
const ext = extname(file)
const buffer = readFileSync(file)
res.setHeader(
'Cache-Control',
'public,max-age=0,must-revalidate',
)
res.setHeader('Content-Length', buffer.length)
res.setHeader('Content-Type', ext === 'jpeg' || ext === 'jpg'
? 'image/jpeg'
: ext === 'webp'
? 'image/webp'
: 'image/png')
res.end(buffer)
})
}

This code was added by 2d62051.

PoC

  1. Create a directory and change the current directory to that directory
  2. Run npx vitest init browser
  3. Run npm run test:browser
  4. Run curl http://localhost:63315/__screenshot-error?file=/path/to/any/file

Impact

Users explicitly exposing the browser mode server to the network by browser.api.host: true may get any files exposed.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2025-24963

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Credits