CVE-2023-49293 (GCVE-0-2023-49293)
Vulnerability from cvelistv5 – Published: 2023-12-04 23:03 – Updated: 2025-05-29 13:40
VLAI?
Summary
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:44.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T13:40:33.559187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T13:40:53.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003e=4.4.0, \u003c 4.4.12"
},
{
"status": "affected",
"version": "= 4.5.0"
},
{
"status": "affected",
"version": "\u003e=5.0.0, \u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\"module\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-04T23:03:30.752Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
}
],
"source": {
"advisory": "GHSA-92r3-m2mg-pj97",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49293",
"datePublished": "2023-12-04T23:03:30.752Z",
"dateReserved": "2023-11-24T16:45:24.313Z",
"dateUpdated": "2025-05-29T13:40:53.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*\", \"versionStartIncluding\": \"4.4.0\", \"versionEndIncluding\": \"4.4.11\", \"matchCriteriaId\": \"794F0A24-E042-454A-8AF4-410CA6B9B7ED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndIncluding\": \"5.0.4\", \"matchCriteriaId\": \"5035825C-DE1D-4C3E-B80A-B80BAA9B9B83\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:-:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"49DB9151-3306-4887-B467-54BF1CB59077\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta0:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"AD12B845-C230-4731-A1C3-F7C8563EC330\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta1:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"71B39887-494A-42B0-97B5-3A27BBDA384F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta10:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"42748778-8084-4E85-A870-F4938B2B4197\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta11:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"8CEA9A64-2C3B-48CD-B553-1B266E6D98DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta12:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"C4335B97-76B1-4B91-BDF1-0DFFB8B5D966\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta13:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"D4393D1C-F71A-4FBB-896E-91F5BDE99F5F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta14:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"41F91182-DFB5-4900-967A-3467C1160FD1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta15:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"E3A2BCC8-1B86-47D9-B1D9-374B3FAF452F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta16:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"659D1924-3224-4F96-B88C-1A98909C3129\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta17:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"239A48C0-7571-46A9-ADF8-8044F89312DB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta18:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"0DBF0C24-7E51-4E33-B265-872250BAAFFE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta19:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"061FD0EC-C333-43A4-B003-0B2C7CC5F377\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta2:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"CDAA6C11-11F8-466A-910F-CEB4ECA6C2B2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta20:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"E3FE8672-FB0B-4E18-8830-85A858B4EBCD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta3:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"9DBA3329-186A-48FD-A1F1-0F0F4487FEB0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta4:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"A4C137DE-8111-447B-AB2A-5DCF19C1EDE8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta5:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"1866630A-7067-4B2D-BB66-FA5A49556046\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta6:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"0490F00F-EE92-4A86-A11F-7A81345700AF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta7:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"F7947662-99E7-42FA-9F5B-FBB84B370E76\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta8:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"DC5DF679-2F1D-4DDC-AD63-D4013D61D5F6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vitejs:vite:5.0.0:beta9:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"D3EE21DD-285A-4B6A-A607-60D4E3842B28\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\\\"module\\\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Vite es un framework de interfaz de sitio web. Cuando la transformaci\\u00f3n HTML de Vite se invoca manualmente a trav\\u00e9s de `server.transformIndexHtml`, la URL de solicitud original se pasa sin modificar y el `html` que se transforma contiene scripts de m\\u00f3dulo en l\\u00ednea (``), es posible inyectar HTML arbitrario en la salida transformada proporcionando una cadena de consulta URL maliciosa a `server.transformIndexHtml`. Solo se ven afectadas las aplicaciones que usan `appType: \u0027custom\u0027` y usan el middleware HTML predeterminado de Vite. La entrada HTML tambi\\u00e9n debe contener un script en l\\u00ednea. El ataque requiere que un usuario haga clic en una URL maliciosa mientras ejecuta el servidor de desarrollo. Los archivos restringidos no est\\u00e1n expuestos al atacante. Este problema se ha solucionado en vite@5.0.5, vite@4.5.1 y vite@4.4.12. No se conocen workarounds para esta vulnerabilidad.\"}]",
"id": "CVE-2023-49293",
"lastModified": "2024-11-21T08:33:12.293",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
"published": "2023-12-04T23:15:27.730",
"references": "[{\"url\": \"https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-49293\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-12-04T23:15:27.730\",\"lastModified\":\"2024-11-21T08:33:12.293\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\\\"module\\\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Vite es un framework de interfaz de sitio web. Cuando la transformaci\u00f3n HTML de Vite se invoca manualmente a trav\u00e9s de `server.transformIndexHtml`, la URL de solicitud original se pasa sin modificar y el `html` que se transforma contiene scripts de m\u00f3dulo en l\u00ednea (``), es posible inyectar HTML arbitrario en la salida transformada proporcionando una cadena de consulta URL maliciosa a `server.transformIndexHtml`. Solo se ven afectadas las aplicaciones que usan `appType: \u0027custom\u0027` y usan el middleware HTML predeterminado de Vite. La entrada HTML tambi\u00e9n debe contener un script en l\u00ednea. El ataque requiere que un usuario haga clic en una URL maliciosa mientras ejecuta el servidor de desarrollo. Los archivos restringidos no est\u00e1n expuestos al atacante. Este problema se ha solucionado en vite@5.0.5, vite@4.5.1 y vite@4.4.12. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndIncluding\":\"4.4.11\",\"matchCriteriaId\":\"794F0A24-E042-454A-8AF4-410CA6B9B7ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndIncluding\":\"5.0.4\",\"matchCriteriaId\":\"5035825C-DE1D-4C3E-B80A-B80BAA9B9B83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:-:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"49DB9151-3306-4887-B467-54BF1CB59077\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta0:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"AD12B845-C230-4731-A1C3-F7C8563EC330\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"71B39887-494A-42B0-97B5-3A27BBDA384F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta10:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"42748778-8084-4E85-A870-F4938B2B4197\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta11:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"8CEA9A64-2C3B-48CD-B553-1B266E6D98DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta12:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C4335B97-76B1-4B91-BDF1-0DFFB8B5D966\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta13:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"D4393D1C-F71A-4FBB-896E-91F5BDE99F5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta14:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"41F91182-DFB5-4900-967A-3467C1160FD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta15:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E3A2BCC8-1B86-47D9-B1D9-374B3FAF452F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta16:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"659D1924-3224-4F96-B88C-1A98909C3129\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta17:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"239A48C0-7571-46A9-ADF8-8044F89312DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta18:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0DBF0C24-7E51-4E33-B265-872250BAAFFE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta19:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"061FD0EC-C333-43A4-B003-0B2C7CC5F377\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"CDAA6C11-11F8-466A-910F-CEB4ECA6C2B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta20:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E3FE8672-FB0B-4E18-8830-85A858B4EBCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta3:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"9DBA3329-186A-48FD-A1F1-0F0F4487FEB0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta4:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"A4C137DE-8111-447B-AB2A-5DCF19C1EDE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta5:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"1866630A-7067-4B2D-BB66-FA5A49556046\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta6:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0490F00F-EE92-4A86-A11F-7A81345700AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta7:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"F7947662-99E7-42FA-9F5B-FBB84B370E76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta8:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"DC5DF679-2F1D-4DDC-AD63-D4013D61D5F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vitejs:vite:5.0.0:beta9:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"D3EE21DD-285A-4B6A-A607-60D4E3842B28\"}]}]}],\"references\":[{\"url\":\"https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"lang\": \"en\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97\"}], \"affected\": [{\"vendor\": \"vitejs\", \"product\": \"vite\", \"versions\": [{\"version\": \"\u003e=4.4.0, \u003c 4.4.12\", \"status\": \"affected\"}, {\"version\": \"= 4.5.0\", \"status\": \"affected\"}, {\"version\": \"\u003e=5.0.0, \u003c 5.0.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-12-04T23:03:30.752Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\\\"module\\\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.\"}], \"source\": {\"advisory\": \"GHSA-92r3-m2mg-pj97\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T21:53:44.657Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-49293\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-29T13:40:33.559187Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-29T13:40:47.364Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2023-49293\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-11-24T16:45:24.313Z\", \"datePublished\": \"2023-12-04T23:03:30.752Z\", \"dateUpdated\": \"2025-05-29T13:40:53.278Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2023-49293
Vulnerability from fkie_nvd - Published: 2023-12-04 23:15 - Updated: 2024-11-21 08:33
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vitejs | vite | * | |
| vitejs | vite | * | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 | |
| vitejs | vite | 5.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "794F0A24-E042-454A-8AF4-410CA6B9B7ED",
"versionEndIncluding": "4.4.11",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5035825C-DE1D-4C3E-B80A-B80BAA9B9B83",
"versionEndIncluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:-:*:*:*:node.js:*:*",
"matchCriteriaId": "49DB9151-3306-4887-B467-54BF1CB59077",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta0:*:*:*:node.js:*:*",
"matchCriteriaId": "AD12B845-C230-4731-A1C3-F7C8563EC330",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta1:*:*:*:node.js:*:*",
"matchCriteriaId": "71B39887-494A-42B0-97B5-3A27BBDA384F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta10:*:*:*:node.js:*:*",
"matchCriteriaId": "42748778-8084-4E85-A870-F4938B2B4197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta11:*:*:*:node.js:*:*",
"matchCriteriaId": "8CEA9A64-2C3B-48CD-B553-1B266E6D98DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta12:*:*:*:node.js:*:*",
"matchCriteriaId": "C4335B97-76B1-4B91-BDF1-0DFFB8B5D966",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta13:*:*:*:node.js:*:*",
"matchCriteriaId": "D4393D1C-F71A-4FBB-896E-91F5BDE99F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta14:*:*:*:node.js:*:*",
"matchCriteriaId": "41F91182-DFB5-4900-967A-3467C1160FD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta15:*:*:*:node.js:*:*",
"matchCriteriaId": "E3A2BCC8-1B86-47D9-B1D9-374B3FAF452F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta16:*:*:*:node.js:*:*",
"matchCriteriaId": "659D1924-3224-4F96-B88C-1A98909C3129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta17:*:*:*:node.js:*:*",
"matchCriteriaId": "239A48C0-7571-46A9-ADF8-8044F89312DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta18:*:*:*:node.js:*:*",
"matchCriteriaId": "0DBF0C24-7E51-4E33-B265-872250BAAFFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta19:*:*:*:node.js:*:*",
"matchCriteriaId": "061FD0EC-C333-43A4-B003-0B2C7CC5F377",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta2:*:*:*:node.js:*:*",
"matchCriteriaId": "CDAA6C11-11F8-466A-910F-CEB4ECA6C2B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta20:*:*:*:node.js:*:*",
"matchCriteriaId": "E3FE8672-FB0B-4E18-8830-85A858B4EBCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta3:*:*:*:node.js:*:*",
"matchCriteriaId": "9DBA3329-186A-48FD-A1F1-0F0F4487FEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta4:*:*:*:node.js:*:*",
"matchCriteriaId": "A4C137DE-8111-447B-AB2A-5DCF19C1EDE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta5:*:*:*:node.js:*:*",
"matchCriteriaId": "1866630A-7067-4B2D-BB66-FA5A49556046",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta6:*:*:*:node.js:*:*",
"matchCriteriaId": "0490F00F-EE92-4A86-A11F-7A81345700AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta7:*:*:*:node.js:*:*",
"matchCriteriaId": "F7947662-99E7-42FA-9F5B-FBB84B370E76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta8:*:*:*:node.js:*:*",
"matchCriteriaId": "DC5DF679-2F1D-4DDC-AD63-D4013D61D5F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta9:*:*:*:node.js:*:*",
"matchCriteriaId": "D3EE21DD-285A-4B6A-A607-60D4E3842B28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\"module\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Vite es un framework de interfaz de sitio web. Cuando la transformaci\u00f3n HTML de Vite se invoca manualmente a trav\u00e9s de `server.transformIndexHtml`, la URL de solicitud original se pasa sin modificar y el `html` que se transforma contiene scripts de m\u00f3dulo en l\u00ednea (``), es posible inyectar HTML arbitrario en la salida transformada proporcionando una cadena de consulta URL maliciosa a `server.transformIndexHtml`. Solo se ven afectadas las aplicaciones que usan `appType: \u0027custom\u0027` y usan el middleware HTML predeterminado de Vite. La entrada HTML tambi\u00e9n debe contener un script en l\u00ednea. El ataque requiere que un usuario haga clic en una URL maliciosa mientras ejecuta el servidor de desarrollo. Los archivos restringidos no est\u00e1n expuestos al atacante. Este problema se ha solucionado en vite@5.0.5, vite@4.5.1 y vite@4.4.12. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2023-49293",
"lastModified": "2024-11-21T08:33:12.293",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-04T23:15:27.730",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-92R3-M2MG-PJ97
Vulnerability from github – Published: 2023-12-05 23:31 – Updated: 2023-12-05 23:31
VLAI?
Summary
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
Details
Summary
When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.
Impact
Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.
Patches
Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12
Details
Suppose index.html contains an inline module script:
<script type="module">
// Inline script
</script>
This script is transformed into a proxy script like
<script type="module" src="/index.html?html-proxy&index=0.js"></script>
due to Vite's HTML plugin:
https://github.com/vitejs/vite/blob/7fd7c6cebfcad34ae7021ebee28f97b1f28ef3f3/packages/vite/src/node/plugins/html.ts#L429-L465
When appType: 'spa' | 'mpa', Vite serves HTML itself, and htmlFallbackMiddleware rewrites req.url to the canonical path of index.html,
https://github.com/vitejs/vite/blob/73ef074b80fa7252e0c46a37a2c94ba8cba46504/packages/vite/src/node/server/middlewares/htmlFallback.ts#L44-L47
so the url passed to server.transformIndexHtml is /index.html.
However, if appType: 'custom', HTML is served manually, and if server.transformIndexHtml is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformed html-proxy script varies with the request URL. For example, a request with path / produces
<script type="module" src="/@id/__x00__/index.html?html-proxy&index=0.js"></script>
It is possible to abuse this behavior by crafting a request URL to contain a malicious payload like
"></script><script>alert('boom')</script>
so a request to http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E produces HTML output like
<script type="module" src="/@id/__x00__/?"></script><script>alert("boom")</script>?html-proxy&index=0.js"></script>
which demonstrates XSS.
PoC
- Example 1. Serving HTML from
vite devmiddleware withappType: 'custom'- Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=dev-html
- "Open in New Tab"
- Edit URL to set query string to
?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3Eand navigate - Witness XSS:
- Example 2. Serving HTML from SSR-style Express server (Vite dev server runs in middleware mode):
- Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=server
- (Same steps as above)
- Example 3. Plain
vite dev(this shows that vanillavite devis not vulnerable, providedhtmlFallbackMiddlewareis used)- Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=dev
- (Same steps as above)
- You should not see the alert box in this case
Detailed Impact
This will probably predominantly affect development-mode SSR, where vite.transformHtml is called using the original req.url, per the docs:
https://github.com/vitejs/vite/blob/7fd7c6cebfcad34ae7021ebee28f97b1f28ef3f3/docs/guide/ssr.md?plain=1#L114-L126
However, since this vulnerability affects server.transformIndexHtml, the scope of impact may be higher to also include other ad-hoc calls to server.transformIndexHtml from outside of Vite's own codebase.
My best guess at bisecting which versions are vulnerable involves the following test script
import fs from 'node:fs/promises';
import * as vite from 'vite';
const html = `
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
</head>
<body>
<script type="module">
// Inline script
</script>
</body>
</html>
`;
const server = await vite.createServer({ appType: 'custom' });
const transformed = await server.transformIndexHtml('/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E', html);
console.log(transformed);
await server.close();
and using it I was able to narrow down to #13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0).
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vite"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "vite"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0"
},
{
"fixed": "4.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.5.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "vite"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49293"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-05T23:31:34Z",
"nvd_published_at": "2023-12-04T23:15:27Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\"module\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`.\n\n### Impact\nOnly apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker.\n\n### Patches\nFixed in vite@5.0.5, vite@4.5.1, vite@4.4.12\n\n### Details\nSuppose `index.html` contains an inline module script:\n\n```html\n\u003cscript type=\"module\"\u003e\n // Inline script\n\u003c/script\u003e\n```\n\nThis script is transformed into a proxy script like\n\n```html\n\u003cscript type=\"module\" src=\"/index.html?html-proxy\u0026index=0.js\"\u003e\u003c/script\u003e\n```\n\ndue to Vite\u0027s HTML plugin:\n\nhttps://github.com/vitejs/vite/blob/7fd7c6cebfcad34ae7021ebee28f97b1f28ef3f3/packages/vite/src/node/plugins/html.ts#L429-L465\n\nWhen `appType: \u0027spa\u0027 | \u0027mpa\u0027`, Vite serves HTML itself, and `htmlFallbackMiddleware` rewrites `req.url` to the canonical path of `index.html`,\n\nhttps://github.com/vitejs/vite/blob/73ef074b80fa7252e0c46a37a2c94ba8cba46504/packages/vite/src/node/server/middlewares/htmlFallback.ts#L44-L47\n\nso the `url` passed to `server.transformIndexHtml` is `/index.html`.\n\nHowever, if `appType: \u0027custom\u0027`, HTML is served manually, and if `server.transformIndexHtml` is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformed `html-proxy` script varies with the request URL. For example, a request with path `/` produces\n\n```html\n\u003cscript type=\"module\" src=\"/@id/__x00__/index.html?html-proxy\u0026index=0.js\"\u003e\u003c/script\u003e\n```\n\nIt is possible to abuse this behavior by crafting a request URL to contain a malicious payload like\n\n```\n\"\u003e\u003c/script\u003e\u003cscript\u003ealert(\u0027boom\u0027)\u003c/script\u003e\n```\n\nso a request to http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E produces HTML output like\n\n```html\n\u003cscript type=\"module\" src=\"/@id/__x00__/?\"\u003e\u003c/script\u003e\u003cscript\u003ealert(\"boom\")\u003c/script\u003e?html-proxy\u0026index=0.js\"\u003e\u003c/script\u003e\n```\n\nwhich demonstrates XSS.\n\n### PoC\n\n- Example 1. Serving HTML from `vite dev` middleware with `appType: \u0027custom\u0027`\n - Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js\u0026terminal=dev-html\n - \"Open in New Tab\"\n - Edit URL to set query string to `?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E` and navigate\n - Witness XSS:\n - \n- Example 2. Serving HTML from SSR-style Express server (Vite dev server runs in middleware mode):\n - Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js\u0026terminal=server\n - (Same steps as above)\n- Example 3. Plain `vite dev` (this shows that vanilla `vite dev` is _not_ vulnerable, provided `htmlFallbackMiddleware` is used)\n - Go to https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js\u0026terminal=dev\n - (Same steps as above)\n - You should _not_ see the alert box in this case\n\n### Detailed Impact\n\nThis will probably predominantly affect [development-mode SSR](https://vitejs.dev/guide/ssr#setting-up-the-dev-server), where `vite.transformHtml` is called using the original `req.url`, per the docs:\n\nhttps://github.com/vitejs/vite/blob/7fd7c6cebfcad34ae7021ebee28f97b1f28ef3f3/docs/guide/ssr.md?plain=1#L114-L126\n\nHowever, since this vulnerability affects `server.transformIndexHtml`, the scope of impact may be higher to also include other ad-hoc calls to `server.transformIndexHtml` from outside of Vite\u0027s own codebase.\n\nMy best guess at bisecting which versions are vulnerable involves the following test script\n\n```js\nimport fs from \u0027node:fs/promises\u0027;\nimport * as vite from \u0027vite\u0027;\n\nconst html = `\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n \u003chead\u003e\n \u003cmeta charset=\"UTF-8\" /\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003cscript type=\"module\"\u003e\n // Inline script\n \u003c/script\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n`;\nconst server = await vite.createServer({ appType: \u0027custom\u0027 });\nconst transformed = await server.transformIndexHtml(\u0027/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E\u0027, html);\nconsole.log(transformed);\nawait server.close();\n```\n\nand using it I was able to narrow down to #13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0).",
"id": "GHSA-92r3-m2mg-pj97",
"modified": "2023-12-05T23:31:34Z",
"published": "2023-12-05T23:31:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49293"
},
{
"type": "PACKAGE",
"url": "https://github.com/vitejs/vite"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vite XSS vulnerability in `server.transformIndexHtml` via URL payload"
}
GSD-2023-49293
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-49293",
"id": "GSD-2023-49293"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-49293"
],
"details": "Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\"module\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.",
"id": "GSD-2023-49293",
"modified": "2023-12-13T01:20:35.367564Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-49293",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "vite",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003e=4.4.0, \u003c 4.4.12"
},
{
"version_affected": "=",
"version_value": "= 4.5.0"
},
{
"version_affected": "=",
"version_value": "\u003e=5.0.0, \u003c 5.0.5"
}
]
}
}
]
},
"vendor_name": "vitejs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\"module\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-79",
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97",
"refsource": "MISC",
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
}
]
},
"source": {
"advisory": "GHSA-92r3-m2mg-pj97",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta20:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta19:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta18:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta17:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta16:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta15:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta14:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta13:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta12:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta11:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta10:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta9:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta8:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta7:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta6:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta5:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta4:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta3:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta2:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta1:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:beta0:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"cpe_name": [],
"versionEndIncluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
"cpe_name": [],
"versionEndIncluding": "4.4.11",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vitejs:vite:5.0.0:-:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-49293"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Vite is a website frontend framework. When Vite\u0027s HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`\u003cscript type=\"module\"\u003e...\u003c/script\u003e`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: \u0027custom\u0027` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren\u0027t exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97",
"refsource": "",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-12-08T17:28Z",
"publishedDate": "2023-12-04T23:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…