CVE-2023-49293 Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite

2023-12-0423:03:30

CWE-79

GitHub_M

www.cve.org

vite

cross-site scripting

server.transformindexhtml

url payload

html transformation

inline module scripts

dev server

[email protected]

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Vite is a website frontend framework. When Vite’s HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren’t exposed to the attacker. This issue has been addressed in [email protected], [email protected], and [email protected]. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "vitejs",
    "product": "vite",
    "versions": [
      {
        "version": ">=4.4.0, < 4.4.12",
        "status": "affected"
      },
      {
        "version": "= 4.5.0",
        "status": "affected"
      },
      {
        "version": ">=5.0.0, < 5.0.5",
        "status": "affected"
      }
    ]
  }
]