Cyber Resilience

CVE-2023-49293

MediumPublic PoC

Published: 04 December 2023

Published
04 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0732 91.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-49293 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Vitejs Vite. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Vite, a frontend build tool and development server, is affected by an HTML injection vulnerability when its index HTML transformation is invoked manually through server.transformIndexHtml. The flaw occurs only in applications configured with appType: 'custom' that also rely on the default Vite HTML middleware and contain inline module scripts; under these conditions an unmodified request URL containing a crafted query string can cause arbitrary HTML to be inserted into the transformed output.

An unauthenticated attacker can exploit the issue by persuading a victim to click a malicious link while the Vite development server is running. Successful exploitation results in reflected cross-site scripting (CWE-79) that allows limited injection of HTML content into the page served to the victim, though restricted files remain inaccessible and the attack surface is confined to the development server.

The GitHub Security Advisory GHSA-92r3-m2mg-pj97 states that the vulnerability has been fixed in Vite 5.0.5, 4.5.1, and 4.4.12; no workarounds are known.

The associated EPSS score has remained low, rising only modestly from a baseline near 0.07 to a peak of 0.083, indicating limited observed exploitation interest since disclosure.

EU & UK References

Vulnerability details

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary…

more

HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vitejs
vite
5.0.0 · 4.4.0 — 4.4.11 · 5.0.0 — 5.0.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References