DOM Clobbering Vulnerability in Vite Framework
CVE-2024-45812
What is CVE-2024-45812?
A vulnerability exists in the Vite framework due to improper handling of DOM Clobbering in bundled scripts. This issue occurs when certain output formats are used, allowing attacker-controlled HTML elements to manipulate the intended scripts through non-script HTML markups. By embedding their own elements, attackers can exploit the document.currentScript lookup mechanism, potentially leading to the dynamic loading of malicious scripts from external sources. As a consequence, websites that utilize Vite with affected configurations are susceptible to Cross-Site Scripting (XSS) attacks, especially when user input is not correctly sanitized for HTML elements. The vulnerability has been addressed in subsequent patches starting from versions 5.4.6, 5.3.6, 5.2.14, through to earlier versions such as 4.5.5 and 3.2.11, urging users to upgrade accordingly.