{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "converter_document",
  "evidence_scope": "production_path",
  "claimed_impact_class": "info_leak",
  "observed_impact_class": "info_leak",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "Crafted query string '?import&raw??' appended to a /@fs/<absolute-path> URL against a network-exposed Vite dev server",
  "trigger_path": "Vite dev server transformMiddleware: rawRE/urlRE guard skipped (trailing '??' breaks /(\\?|&)raw(?:&|$)/) so ensureServingAccess is never called; isImportRequest('?import&') true -> transformRequest -> vite:raw plugin loads out-of-root file -> HTTP 200 with file contents",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": null,
  "inferred": false
}
