Vulnerability Database

296,760

Total vulnerabilities in the database

CVE-2023-49293

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

CVSS v3:

  • Severity: Medium
  • Score: 6.1
  • AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

OWASP TOP 10:

Software From Fixed in
Node.js icon vitejs / vite 4.4.0 4.4.12
Node.js icon vitejs / vite 4.5.0 4.5.0.x
Node.js icon vitejs / vite 4.5.0 4.5.1
Node.js icon vitejs / vite 5.0.0 5.0.5
Node.js icon vitejs / vite 5.0.0-beta20 5.0.0-beta20.x
Node.js icon vitejs / vite 5.0.0-beta19 5.0.0-beta19.x
Node.js icon vitejs / vite 5.0.0-beta18 5.0.0-beta18.x
Node.js icon vitejs / vite 5.0.0-beta17 5.0.0-beta17.x
Node.js icon vitejs / vite 5.0.0-beta16 5.0.0-beta16.x
Node.js icon vitejs / vite 5.0.0-beta15 5.0.0-beta15.x
Node.js icon vitejs / vite 5.0.0-beta14 5.0.0-beta14.x
Node.js icon vitejs / vite 5.0.0-beta13 5.0.0-beta13.x
Node.js icon vitejs / vite 5.0.0-beta12 5.0.0-beta12.x
Node.js icon vitejs / vite 5.0.0-beta11 5.0.0-beta11.x
Node.js icon vitejs / vite 5.0.0-beta10 5.0.0-beta10.x
Node.js icon vitejs / vite 5.0.0-beta9 5.0.0-beta9.x
Node.js icon vitejs / vite 5.0.0-beta8 5.0.0-beta8.x
Node.js icon vitejs / vite 5.0.0-beta7 5.0.0-beta7.x
Node.js icon vitejs / vite 5.0.0-beta6 5.0.0-beta6.x
Node.js icon vitejs / vite 5.0.0-beta5 5.0.0-beta5.x
Node.js icon vitejs / vite 5.0.0-beta4 5.0.0-beta4.x
Node.js icon vitejs / vite 5.0.0-beta3 5.0.0-beta3.x
Node.js icon vitejs / vite 5.0.0-beta2 5.0.0-beta2.x
Node.js icon vitejs / vite 5.0.0-beta1 5.0.0-beta1.x
Node.js icon vitejs / vite 5.0.0-beta0 5.0.0-beta0.x
Node.js icon vitejs / vite 5.0.0 5.0.4.x
Node.js icon vitejs / vite 4.4.0 4.4.11.x
Node.js icon vitejs / vite 5.0.0 5.0.0.x