Skip to main content

Vite CVE-2023-49293

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-12-04 security-advisories@github.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 04, 2023 - 23:15 nvd
MEDIUM 6.1

DescriptionNVD

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

AnalysisAI

Vite is a website frontend framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability. Affected products include: Vitejs Vite.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Vite

View all
CVE-2025-31125 MEDIUM POC
5.3 Mar 31

Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 5.3), this vulnerability is remotely ex

CVE-2025-30208 MEDIUM POC
5.3 Mar 24

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15,

CVE-2024-52011 HIGH POC
7.5 Jun 01

launch-editor allows users to open files with line numbers in editor from Node.js. Rated high severity (CVSS 7.5), this

CVE-2024-23331 HIGH POC
7.5 Jan 19

Vite is a frontend tooling framework for javascript. Rated high severity (CVSS 7.5), this vulnerability is remotely expl

CVE-2023-34092 HIGH POC
7.5 Jun 01

Vite provides frontend tooling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentic

CVE-2025-46565 MEDIUM POC
6.0 May 01

Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 6.0), this vulnerability is remotely ex

CVE-2022-35204 MEDIUM POC
4.3 Aug 18

Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the v

CVE-2025-58751 LOW POC
2.3 Sep 08

Vite is a frontend tooling framework for JavaScript. Rated low severity (CVSS 2.3), this vulnerability is remotely explo

CVE-2025-58752 LOW POC
2.3 Sep 08

Vite is a frontend tooling framework for JavaScript. Rated low severity (CVSS 2.3), this vulnerability is remotely explo

CVE-2025-24010 MEDIUM POC
6.5 Jan 20

Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 6.5), this vulnerability is remotely ex

Share

CVE-2023-49293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy