CVE-2023-49293
HTML transformation vulnerability in vite (npm)

HTML transformation No known exploit

What is CVE-2023-49293 About?

This vulnerability involves arbitrary HTML injection in Vite's HTML transformation process when an inline module script is present and `appType: 'custom'` is used. Attackers can inject malicious HTML via a crafted URL query string, leading to Cross-Site Scripting (XSS). Exploitation requires user interaction with a malicious URL on a development server and is moderately easy to carry out.

Affected Software

  • vite
    • >5.0.0, <5.0.5
    • >4.4.0, <4.4.12
    • >4.5.0, <4.5.1

Technical Details

The vulnerability arises when Vite's server.transformIndexHtml function is manually invoked with an unmodified original request URL, particularly when appType: 'custom' is configured and the HTML contains inline module scripts. Vite's HTML plugin transforms inline scripts into proxy scripts with a source path derived from the request URL. When appType: 'spa' | 'mpa', htmlFallbackMiddleware rewrites req.url to a canonical path, preventing the issue. However, with appType: 'custom', if the raw request URL is passed to server.transformIndexHtml, an attacker can craft a malicious URL query string (e.g., ?"%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E). This malicious query string gets embedded into the src attribute of the generated proxy script, breaking out of the src attribute and injecting arbitrary HTML (such as an XSS payload) directly into the transformed HTML output, leading to execution in the victim's browser.

What is the Impact of CVE-2023-49293?

Successful exploitation may allow attackers to execute arbitrary client-side scripts in the victim's browser, manipulate web content, steal session cookies, or deface the website. This can lead to unauthorized access, data theft, and defacement of the affected application.

What is the Exploitability of CVE-2023-49293?

Exploitation of this vulnerability is of moderate complexity. It requires specific environmental prerequisites: the affected application must be running a Vite development server with appType: 'custom', and the HTML entry point must contain an inline module script. Authentication is not required for the attacker to craft and deliver the malicious URL. However, the attack relies on a user clicking a specially crafted malicious URL while interacting with the dev server. This is a remote attack, as the attacker delivers the malicious URL to the victim. The primary risk factor increasing exploitability is the common use of Vite in development environments, especially with SSR configurations where server.transformIndexHtml might be called with original request URLs.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-49293?

Available Upgrade Options

  • vite
    • >4.4.0, <4.4.12 → Upgrade to 4.4.12
  • vite
    • >4.5.0, <4.5.1 → Upgrade to 4.5.1
  • vite
    • >5.0.0, <5.0.5 → Upgrade to 5.0.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-49293?

Similar Vulnerabilities: CVE-2024-21485 , CVE-2023-5654 , CVE-2024-11394 , CVE-2023-47248 , CVE-2023-6975

All Rights reserved 2025
Privacy Policy