CVE-2024-45812
Description
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript. However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vite bundled scripts (cjs/iife/umd) are vulnerable to DOM Clobbering XSS via attacker-controlled HTML elements; patched in 5.4.6, 5.3.6, 5.2.14, 4.5.5, 3.2.11.
Vite, a frontend build tool, contains a DOM Clobbering vulnerability in its bundled scripts when the output format is set to cjs, iife, or umd. The root cause lies in Vite's use of document.currentScript to resolve asset URLs (starting with __VITE_ASSET__) for dynamic imports. This lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism, where a scriptless HTML element (e.g., an ` tag with an unsanitized name` attribute) can override the expected script element [1][3].
To exploit this vulnerability, an attacker injects a benign-looking HTML element (e.g., `) into a web page that includes Vite-bundled scripts in the vulnerable output formats. When Vite's code executes and accesses document.currentScript, the browser returns the attacker-controlled element instead of the actual script. Vite then uses the src` attribute of that element as the base URL for importing scripts, allowing the attacker to load scripts from an arbitrary server [3].
The impact is cross-site scripting (XSS): the attacker can load and execute arbitrary JavaScript from an external server, leading to full compromise of the web page's context. This attack is feasible on websites that allow user-contributed HTML without proper sanitization of name or id attributes and that use Vite-bundled files with the vulnerable output formats [1][3].
Vite has patched this vulnerability in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade to a patched version; there are no known workarounds [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitenpm | >= 5.4.0, < 5.4.6 | 5.4.6 |
vitenpm | >= 5.3.0, < 5.3.6 | 5.3.6 |
vitenpm | >= 5.2.0, < 5.2.14 | 5.2.14 |
vitenpm | >= 4.0.0, < 4.5.4 | 4.5.4 |
vitenpm | < 3.2.11 | 3.2.11 |
vitenpm | >= 5.0.0, < 5.1.8 | 5.1.8 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/vitepkg:apk/wolfi/vitepkg:npm/vitepkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
< 5.4.6-r0+ 3 more
- (no CPE)range: < 5.4.6-r0
- (no CPE)range: < 5.4.6-r0
- (no CPE)range: >= 5.4.0, < 5.4.6
- (no CPE)range: < 0.7.0.4.git142.862ef23-1.1
Patches
11f9691767ad76f469ceb5d883673ae1607ddef1d8845fff4845b8644543f1ade1d89660e1fix: avoid DOM Clobbering gadget in `getRelativeUrlFromDocument` (#18115)
1 file changed · +1 −1
packages/vite/src/node/build.ts+1 −1 modified@@ -1297,7 +1297,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) => getResolveUrl( `'${escapeId(partialEncodeURIPath(relativePath))}', ${ umd ? `typeof document === 'undefined' ? location.href : ` : '' - }document.currentScript && document.currentScript.src || document.baseURI`, + }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`, ) const getFileUrlFromFullPath = (path: string) =>
179b17773cf3fix: avoid DOM Clobbering gadget in `getRelativeUrlFromDocument` (#18115)
1 file changed · +1 −1
packages/vite/src/node/build.ts+1 −1 modified@@ -1133,7 +1133,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) => getResolveUrl( `'${escapeId(partialEncodeURIPath(relativePath))}', ${ umd ? `typeof document === 'undefined' ? location.href : ` : '' - }document.currentScript && document.currentScript.src || document.baseURI`, + }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`, ) const getFileUrlFromFullPath = (path: string) =>
2691bb3ff6b0fix: avoid DOM Clobbering gadget in `getRelativeUrlFromDocument` (#18115)
1 file changed · +1 −1
packages/vite/src/node/build.ts+1 −1 modified@@ -1133,7 +1133,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) => getResolveUrl( `'${escapeId(partialEncodeURIPath(relativePath))}', ${ umd ? `typeof document === 'undefined' ? location.href : ` : '' - }document.currentScript && document.currentScript.src || document.baseURI`, + }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`, ) const getFileUrlFromFullPath = (path: string) =>
ebb94c5b3bf4fix: avoid DOM Clobbering gadget in `getRelativeUrlFromDocument` (#18115)
1 file changed · +1 −1
packages/vite/src/node/build.ts+1 −1 modified@@ -1131,7 +1131,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) => getResolveUrl( `'${escapeId(partialEncodeURIPath(relativePath))}', ${ umd ? `typeof document === 'undefined' ? location.href : ` : '' - }document.currentScript && document.currentScript.src || document.baseURI`, + }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`, ) const getFileUrlFromFullPath = (path: string) =>
e8127166979efix: avoid DOM Clobbering gadget in `getRelativeUrlFromDocument` (#18115)
1 file changed · +1 −1
packages/vite/src/node/build.ts+1 −1 modified@@ -1100,7 +1100,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) => getResolveUrl( `'${escapeId(relativePath)}', ${ umd ? `typeof document === 'undefined' ? location.href : ` : '' - }document.currentScript && document.currentScript.src || document.baseURI`, + }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`, ) const getFileUrlFromFullPath = (path: string) =>
2ddd8541ec3bfix: backport #18115, DOM Clobbering in
1 file changed · +1 −1
packages/vite/src/node/build.ts+1 −1 modified@@ -1005,7 +1005,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) => getResolveUrl( `'${relativePath}', ${ umd ? `typeof document === 'undefined' ? location.href : ` : '' - }document.currentScript && document.currentScript.src || document.baseURI` + }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI` ) const relativeUrlMechanisms: Record<
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-64vr-g452-qvp3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45812ghsaADVISORY
- github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126afghsaWEB
- github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675ghsaWEB
- github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bdghsaWEB
- github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fadnvdWEB
- github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3ghsaWEB
- github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5eghsaWEB
- github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3nvdWEB
- github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986nvdWEB
- research.securitum.com/xss-in-amp4email-dom-clobberingnvdWEB
- scnps.co/papers/sp23_domclob.pdfnvdWEB
News mentions
0No linked articles in our index yet.