CVE-2023-49293

Name of the Vulnerable Software and Affected Versions Vite versions prior to 4.4.12 Vite versions prior to 4.5.1 Vite versions prior to 5.0.5

Description The issue is related to Vite's HTML transformation when invoked manually via server.transformIndexHtml. If the original request URL is passed in unmodified and the html being transformed contains inline module scripts, it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.

Recommendations For versions prior to 4.4.12, update to vite@4.4.12 or later. For versions prior to 4.5.1, update to vite@4.5.1 or later. For versions prior to 5.0.5, update to vite@5.0.5 or later. As a temporary workaround, consider disabling the server.transformIndexHtml function until a patch is available. Restrict access to the vulnerable appType: 'custom' to minimize the risk of exploitation. Avoid using the server.transformIndexHtml function with unmodified request URLs until the issue is resolved.