CVE-2023-49293: 
JavaScript vulnerability analysis and mitigation

Vite, a website frontend framework, was found to contain a cross-site scripting (XSS) vulnerability identified as CVE-2023-49293. The vulnerability was discovered when Vite's HTML transformation is invoked manually via server.transformIndexHtml, where the original request URL is passed unmodified, and the HTML being transformed contains inline module scripts. This vulnerability affects versions 4.4.0 through 4.4.11, 4.5.0, and 5.0.0 through 5.0.4 (GitHub Advisory).

The vulnerability occurs specifically in applications using appType: 'custom' and the default Vite HTML middleware. When the HTML entry contains an inline script, it becomes possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network vector attack with low complexity and requiring user interaction (GitHub Advisory).

The impact of this vulnerability is moderate, primarily affecting development-mode Server-Side Rendering (SSR) implementations. While the attack requires a user to click on a malicious URL while running the dev server, it can lead to arbitrary HTML injection. Importantly, restricted files are not exposed to the attacker during exploitation (GitHub Advisory).

The vulnerability has been patched in versions vite@5.0.5, vite@4.5.1, and vite@4.4.12. Users are advised to upgrade to these or later versions to mitigate the risk. There are no known workarounds for this vulnerability other than updating to a patched version (GitHub Advisory).