更新: 359 个文件 - 2026-03-16 23:30:01

2026-03-16 23:30:01 -07:00
--- a/07-framework-security/frameworks/vite/INDEX.md
+++ b/07-framework-security/frameworks/vite/INDEX.md
@@ -8,7 +8,11 @@
 - 总案例数: `12`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `12`
- 最近渲染时间: `2026-03-17T04:37:52+00:00`
+- 已实证(真实版本): `0`
+- 已实证(synthetic): `0`
+- 阻塞数: `0`
+- 待人工/缺浏览器证据: `12`
+- 最近渲染时间: `2026-03-17T06:28:45+00:00`

 ## 目标约束

@@ -26,17 +30,17 @@

 ## 案例列表

-| 标题 | 严重度 | 状态 | 来源置信度 | 更新时间 | 案例页 |
-|------|--------|------|------------|----------|--------|
-| vite allows server.fs.deny bypass via backslash on Windows | `medium` | `generated` | `official` | `2026-02-04T04:13:38.886554Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-62522.md) |
-| Vite middleware may serve files starting with the same name with the public directory | `medium` | `generated` | `official` | `2026-02-04T04:33:22.508417Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-58751.md) |
-| Vite's `server.fs` settings were not applied to HTML files | `medium` | `generated` | `official` | `2026-02-04T04:35:16.287471Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-58752.md) |
-| Vite's server.fs.deny bypassed with /. for files under project root | `medium` | `generated` | `official` | `2026-02-04T03:27:17.681639Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-46565.md) |
-| Vite has an `server.fs.deny` bypass with an invalid `request-target` | `medium` | `generated` | `official` | `2026-02-04T04:11:44.900383Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-32395.md) |
-| Vite allows server.fs.deny to be bypassed with .svg or relative paths | `low` | `generated` | `official` | `2026-02-04T03:51:38.412061Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-31486.md) |
-| Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query | `low` | `generated` | `official` | `2026-02-04T04:37:24.129476Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-31125.md) |
-| Vite bypasses server.fs.deny when using ?raw?? | `low` | `generated` | `official` | `2026-02-04T03:13:24.371631Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-30208.md) |
-| Websites were able to send any requests to the development server and read the response in vite | `low` | `generated` | `official` | `2026-02-04T04:37:03.076966Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-24010.md) |
-| Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS | `low` | `generated` | `official` | `2026-02-04T04:04:22.977459Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2024-45812.md) |
-| Vite's `server.fs.deny` is bypassed when using `?import&raw` | `low` | `generated` | `official` | `2026-02-04T04:05:31.919291Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2024-45811.md) |
-| Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem | `low` | `generated` | `official` | `2026-02-04T04:17:01.410592Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2024-23331.md) |
+| 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
+|------|--------|----------|----------|----------|------------|----------|--------|
+| vite allows server.fs.deny bypass via backslash on Windows | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:13:38.886554Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-62522.md) |
+| Vite middleware may serve files starting with the same name with the public directory | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:33:22.508417Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-58751.md) |
+| Vite's `server.fs` settings were not applied to HTML files | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:35:16.287471Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-58752.md) |
+| Vite's server.fs.deny bypassed with /. for files under project root | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T03:27:17.681639Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-46565.md) |
+| Vite has an `server.fs.deny` bypass with an invalid `request-target` | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:11:44.900383Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-32395.md) |
+| Vite allows server.fs.deny to be bypassed with .svg or relative paths | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T03:51:38.412061Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-31486.md) |
+| Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:37:24.129476Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-31125.md) |
+| Vite bypasses server.fs.deny when using ?raw?? | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T03:13:24.371631Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-30208.md) |
+| Websites were able to send any requests to the development server and read the response in vite | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:37:03.076966Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2025-24010.md) |
+| Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:04:22.977459Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2024-45812.md) |
+| Vite's `server.fs.deny` is bypassed when using `?import&raw` | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:05:31.919291Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2024-45811.md) |
+| Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T04:17:01.410592Z` | [link](/Users/x/websafe/07-framework-security/frameworks/vite/cases/vite-cve-2024-23331.md) |
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2024-23331.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2024-23331.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:17:01.410592Z"
 severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -37,6 +41,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8r

 # Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2024-23331`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2024-45811.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2024-45811.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:05:31.919291Z"
 severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -41,6 +45,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-28

 # Vite's `server.fs.deny` is bypassed when using `?import&raw`

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2024-45811`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2024-45812.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2024-45812.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:04:22.977459Z"
 severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -43,6 +47,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g4

 # Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2024-45812`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-24010.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-24010.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:37:03.076966Z"
 severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -38,6 +42,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rc

 # Websites were able to send any requests to the development server and read the response in vite

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-24010`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-30208.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-30208.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T03:13:24.371631Z"
 severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -39,6 +43,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m8

 # Vite bypasses server.fs.deny when using ?raw??

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-30208`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-31125.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-31125.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:37:24.129476Z"
 severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -39,6 +43,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw

 # Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-31125`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-31486.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-31486.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T03:51:38.412061Z"
 severity: "low"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -40,6 +44,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq

 # Vite allows server.fs.deny to be bypassed with .svg or relative paths

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-31486`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-32395.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-32395.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:11:44.900383Z"
 severity: "medium"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -39,6 +43,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63

 # Vite has an `server.fs.deny` bypass with an invalid `request-target`

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-32395`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-46565.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-46565.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T03:27:17.681639Z"
 severity: "medium"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -39,6 +43,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-859w-59

 # Vite's server.fs.deny bypassed with /. for files under project root

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-46565`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-58751.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-58751.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:33:22.508417Z"
 severity: "medium"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -37,6 +41,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2

 # Vite middleware may serve files starting with the same name with the public directory

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-58751`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-58752.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-58752.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:35:16.287471Z"
 severity: "medium"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -38,6 +42,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq

 # Vite's `server.fs` settings were not applied to HTML files

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-58752`
--- a/07-framework-security/frameworks/vite/cases/vite-cve-2025-62522.md
+++ b/07-framework-security/frameworks/vite/cases/vite-cve-2025-62522.md
@@ -8,6 +8,10 @@ updated_date: "2026-02-04T04:13:38.886554Z"
 severity: "medium"
 exploit_status: "unknown"
 source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
 target_types:
  - "lab-local"
  - "lab-public"
@@ -40,6 +44,15 @@ primary_source: "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-66

 # vite allows server.fs.deny bypass via backslash on Windows

+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
 ## 事件层

 - Canonical ID: `vite--CVE-2025-62522`