Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Description

When Vite’s HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.0.0, < 5.0.5

  = 4.5.0

  >= 4.4.0, < 4.4.12**

• Patched version(s): **5.0.5

  4.5.1

  4.4.12**

References

• GHSA-92r3-m2mg-pj97
• CVE-2023-49293
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
• Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
• Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
• Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads - CVE-2026-27567

You might also like:

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Exploiting Server Version Disclosure

Tags:

npm

vite