Skip to content

[Security] Bump vite from 4.5.0 to 4.5.1

Dependabot requested to merge dependabot-npm_and_yarn-vite-4.5.1 into master

Bumps vite from 4.5.0 to 4.5.1. This update includes a security fix.

Vulnerabilities fixed

Vite XSS vulnerability in server.transformIndexHtml via URL payload

Summary

When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

Impact

Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.

Patches

Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12

Details

Suppose index.html contains an inline module script:

<script type="module">
  // Inline script
</script>

This script is transformed into a proxy script like

... (truncated)

Patched versions: 4.5.1 Affected versions: = 4.5.0

Changelog

Sourced from vite's changelog.

4.5.1 (2023-12-04)

Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading