CVE-2023-49293
Published: 04 December 2023
Summary
CVE-2023-49293 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Vitejs Vite. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Vite, a frontend build tool and development server, is affected by an HTML injection vulnerability when its index HTML transformation is invoked manually through server.transformIndexHtml. The flaw occurs only in applications configured with appType: 'custom' that also rely on the default Vite HTML middleware and contain inline module scripts; under these conditions an unmodified request URL containing a crafted query string can cause arbitrary HTML to be inserted into the transformed output.
An unauthenticated attacker can exploit the issue by persuading a victim to click a malicious link while the Vite development server is running. Successful exploitation results in reflected cross-site scripting (CWE-79) that allows limited injection of HTML content into the page served to the victim, though restricted files remain inaccessible and the attack surface is confined to the development server.
The GitHub Security Advisory GHSA-92r3-m2mg-pj97 states that the vulnerability has been fixed in Vite 5.0.5, 4.5.1, and 4.4.12; no workarounds are known.
The associated EPSS score has remained low, rising only modestly from a baseline near 0.07 to a peak of 0.083, indicating limited observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-3168
Vulnerability details
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary…
more
HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.