File exfiltration in VS Code Live Server extension v5.7.9 via crafted HTML/localhost interaction

Repository purpose: a GitHub Pages, browser-executed proof-of-concept named “Live Server Evil Crawler” demonstrating CVE-2025-65717 (VSCode Live Server extension allowing requests from any origin). The PoC shows how a malicious web page can interact with a localhost Live Server instance and read exposed content. Structure: - README.md: describes the vulnerability, features (port scanner + crawler), and links to the hosted demo and the Ox Security article. - index.html: UI for selecting a port range to scan (default 5000–6000) and a manual port input; loads index.js. - index.js: core logic. Key capabilities (index.js): - Localhost port scanning: scanPorts() probes http://localhost:<port>/ across a user-specified range using fetch(..., mode:'no-cors') with a 12s timeout and concurrency batching (batchSize=100). Any port that responds is listed with a “crawl” button. - Recursive crawling and content retrieval: startCrawl(port) sets origin=http://localhost:<port>, clears prior results, and calls crawl(origin+'/'). crawl() fetches a URL, records it, and if the response is HTML, parses it and follows <a href> links recursively (joinPath resolves relative/absolute links). report() creates a UI entry; when expanded, it fetches the resource again and displays text/* bodies, otherwise labels it as binary with the detected content-type. Overall, this is an operational browser-based PoC demonstrating cross-origin access to a localhost development server, enabling discovery of the server and exfiltration/reading of served files via recursive link traversal.