CVE-2024-45812: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
(updated )
We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
References
- github.com/advisories/GHSA-64vr-g452-qvp3
- github.com/vitejs/vite
- github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af
- github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675
- github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd
- github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
- github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3
- github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e
- github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
- github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
- nvd.nist.gov/vuln/detail/CVE-2024-45812
- research.securitum.com/xss-in-amp4email-dom-clobbering
- scnps.co/papers/sp23_domclob.pdf
Detect and mitigate CVE-2024-45812 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →