Mxxk

**Name of the Vulnerable Software and Affected Versions** Vite versions prior to 4.4.12 Vite versions prior to 4.5.1 Vite versions prior to 5.0.5 **Description** The issue is related to Vite's HTML transformation when invoked manually via `server.transformIndexHtml`. If the original request URL is passed in unmodified and the `html` being transformed contains inline module scripts, it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. **Recommendations** For versions prior to 4.4.12, update to vite@4.4.12 or later. For versions prior to 4.5.1, update to vite@4.5.1 or later. For versions prior to 5.0.5, update to vite@5.0.5 or later. As a temporary workaround, consider disabling the `server.transformIndexHtml` function until a patch is available. Restrict access to the vulnerable `appType: 'custom'` to minimize the risk of exploitation. Avoid using the `server.transformIndexHtml` function with unmodified request URLs until the issue is resolved.