Main Vulnerability Database Vulnerabilities #VU125302

#VU125302 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Vite - CVE-2024-45812

Published: September 17, 2024 / Updated: April 8, 2026

Vulnerability identifier: #VU125302

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-45812

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vite

Software vendor:
Vite

Description

The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.

The vulnerability exists due to improper control of dynamically resolved script URLs via DOM clobbering in vite bundled scripts when processing attacker-controlled scriptless HTML elements on a page that uses cjs, iife, or umd build output and dynamically imports scripts from the assets folder. A remote user can inject a crafted HTML element that shadows document.currentScript to execute arbitrary script code in the victim's browser.

The issue arises because the document.currentScript lookup can be shadowed through the browser's named DOM tree element access mechanism, causing an attacker-controlled element src value to be used for dynamic script loading.

Remediation

Install security update from vendor's website.

External links

https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3

#VU125302 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Vite - CVE-2024-45812

Description

Remediation

External links

Please verify you're human