Verified — Vite dev server access control can be bypassed using crafted query strings, allowing arbitrary file reads via the @fs handler when the dev server is exposed to the network.
Severity MEDIUM
Confidence HIGH
Reproduced in 23m 11s
Tool calls 258
Spend $4.12
Affected >= 6.2.0 < 6.2.3, >= 6.1.0 < 6.1.2, >= 6.0.0 < 6.0.12, >= 5.0.0 < 5.4.15, < 4.5.10
Fixed in 6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10
$
pruva-verify REPRO-2026-00195 or
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00195/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Run in a VM or disposable container. This exploits a real vulnerability.
Vite’s dev server @fs access control can be bypassed by appending crafted query strings such as ?raw?? or ?import&raw??, allowing reading arbitrary files outside the allowed serving list when the dev server is exposed to the network.
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.