The Vite development server is vulnerable to arbitrary file read due to insufficient path validation when processing URL requests. This exploit sends a crafted URL request to the Vite development server, that includes the target filename combined with an specific parameter. If the server responds 200 OK, after that processes the server's Base64-encoded response through a decoding routine and displays the file contents. Optionally, the exploit can save the leaked file locally where the user defines it in the OUTPUT_PATH parameter.
CVE Link
Exploit Platform
Exploit Type
Product Name