Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite
Description
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitenpm | >= 4.4.0, < 4.4.12 | 4.4.12 |
vitenpm | >= 4.5.0, < 4.5.1 | 4.5.1 |
vitenpm | >= 5.0.0, < 5.0.5 | 5.0.5 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-92r3-m2mg-pj97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49293ghsaADVISORY
- github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.