vite@5.0.0-beta.6 vulnerabilities

Native-ESM powered web dev build tool

latest version

5.2.10
latest non vulnerable version

6.0.0-alpha.5
first published

4 years ago
latest version published

7 days ago
licenses detected
- MIT
  >=0
View vite package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-Site Scripting (XSS) vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) when the HTML transformation function is invoked manually through `server.transformIndexHtml`. The original request URL is passed in unmodified. If the `html` being transformed contains inline module scripts, it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. This is exploitable by convincing a user running a dev server with `appType: 'custom'` set and the default HTML middleware, to follow a malicious link. Additionally, restricted files aren't exposed to the attacker. How to fix Cross-Site Scripting (XSS)? Upgrade `vite` to version 4.4.12, 4.5.1, 5.0.5 or higher.	>=4.4.0-beta.2 <4.4.12 >=4.5.0 <4.5.1 >=5.0.0-beta.0 <5.0.5

Cross-Site Scripting (XSS)

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) when the HTML transformation function is invoked manually through server.transformIndexHtml. The original request URL is passed in unmodified. If the html being transformed contains inline module scripts, it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

This is exploitable by convincing a user running a dev server with appType: 'custom' set and the default HTML middleware, to follow a malicious link. Additionally, restricted files aren't exposed to the attacker.

How to fix Cross-Site Scripting (XSS)?

Upgrade vite to version 4.4.12, 4.5.1, 5.0.5 or higher.

>=4.4.0-beta.2 <4.4.12 >=4.5.0 <4.5.1 >=5.0.0-beta.0 <5.0.5

Go back to all versions of this package

vite@5.0.0-beta.6 vulnerabilities

Native-ESM powered web dev build tool

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities