Bug 2252893 (CVE-2023-49293) - CVE-2023-49293 vitejs: XSS vulnerability in `server.transformIndexHtml` via URL payload
Summary: CVE-2023-49293 vitejs: XSS vulnerability in `server.transformIndexHtml` via U...
Keywords:
Status: NEW
Alias: CVE-2023-49293
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2252894
TreeView+ depends on / blocked
 
Reported: 2023-12-05 06:24 UTC by Pedro Sampaio
Modified: 2025-06-17 08:28 UTC (History)
46 users (show)

Fixed In Version: vite 4.4.12, vite 4.5.0, vite 4.5.1, vite 5.0.0, vite 5.0.5
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-12-05 06:24:27 UTC 
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite.5, vite.1, and vite.12. There are no known workarounds for this vulnerability.

References:

https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97
Note You need to log in before you can comment on or make changes to this bug.