[Security] Bump vite from 4.5.0 to 4.5.1
Bumps vite from 4.5.0 to 4.5.1. This update includes a security fix.
Vulnerabilities fixed
Vite XSS vulnerability in
server.transformIndexHtml
via URL payloadSummary
When Vite's HTML transformation is invoked manually via
server.transformIndexHtml
, the original request URL is passed in unmodified, and thehtml
being transformed contains inline module scripts (<script type="module">...</script>
), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string toserver.transformIndexHtml
.Impact
Only apps using
appType: 'custom'
and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.Patches
Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12
Details
Suppose
index.html
contains an inline module script:<script type="module"> // Inline script </script>
This script is transformed into a proxy script like
... (truncated)
Patched versions: 4.5.1 Affected versions: = 4.5.0
Commits
-
c075115
release: v4.5.1 -
41bb354
fix: backport #15223, proxy html path should be encoded (#15226) - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts