Headline
GHSA-8gvc-j273-4wm5: Vitest browser mode serves arbitrary files
Summary
__screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files.
Details
This __screenshot-error handler on the browser mode HTTP server responds any file on the file system.
https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130
This code was added by https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f.
PoC
- Create a directory and change the current directory to that directory
- Run
npx vitest init browser - Run
npm run test:browser - Run
curl http://localhost:63315/__screenshot-error?file=/path/to/any/file
Impact
Users explicitly exposing the browser mode server to the network by browser.api.host: true may get any files exposed.
Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.