CVE-2024-45812 Overview
CVE-2024-45812 is a DOM Clobbering vulnerability affecting Vite, a popular frontend build tooling framework for JavaScript. This vulnerability can lead to Cross-Site Scripting (XSS) attacks when Vite-bundled scripts are configured to use cjs, iife, or umd output formats. The flaw allows attackers to inject seemingly benign HTML elements that can be leveraged to execute malicious scripts through code reuse techniques.
DOM Clobbering is a sophisticated attack where an attacker embeds non-script HTML markup (such as through user-generated content like posts or comments) and leverages existing JavaScript code patterns to transform this markup into executable code. In Vite's case, the vulnerability specifically targets the dynamic script import mechanism used when building to CommonJS, IIFE, or UMD formats.
Critical Impact
Attackers can achieve cross-site scripting (XSS) on websites using Vite-bundled files by exploiting the document.currentScript lookup mechanism, potentially allowing malicious script loading from attacker-controlled servers.
Affected Products
- Vite versions prior to 5.4.6
- Vite versions prior to 5.3.6
- Vite versions prior to 5.2.14
- Vite versions prior to 4.5.5
- Vite versions prior to 3.2.11
Discovery Timeline
- 2024-09-17 - CVE-2024-45812 published to NVD
- 2024-09-20 - Last updated in NVD database
Technical Details for CVE-2024-45812
Vulnerability Analysis
The vulnerability exists in Vite's handling of dynamic script imports when building to cjs, iife, or umd output formats. During the build process, Vite replaces relative paths that start with __VITE_ASSET__ using the URL retrieved from document.currentScript. This mechanism is designed to resolve asset paths at runtime, but it introduces a significant security weakness.
The document.currentScript property can be manipulated through the browser's named DOM tree element access mechanism—a behavior that forms the foundation of DOM Clobbering attacks. When an attacker can inject HTML elements with specific name or id attributes into a page, these elements can shadow legitimate DOM properties and objects.
In this specific case, an attacker who can inject an HTML element (such as an <img> tag) with a name attribute matching currentScript can effectively replace the legitimate script reference. The bundled Vite code then retrieves the src attribute from the attacker-controlled element instead of the legitimate script element, enabling the dynamic loading of scripts from an attacker-controlled server.
Root Cause
The root cause is improper validation of the document.currentScript property before using it to construct URLs for dynamic script imports. Vite's bundled output code assumes that document.currentScript will always reference the legitimate script element, without accounting for the possibility that this property could be shadowed by DOM Clobbering techniques.
This represents a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability, as the application fails to properly handle the possibility of attacker-controlled HTML elements interfering with its script loading mechanism.
Attack Vector
The attack requires network access and exploits the following conditions:
- A website must include Vite-bundled JavaScript files configured with cjs, iife, or umd output format
- The website must allow users to inject certain scriptless HTML tags (e.g., <img>, <form>, <object>) without properly sanitizing the name or id attributes
- The attacker injects an HTML element with a name attribute set to currentScript
- When Vite's bundled code attempts to dynamically import assets, it retrieves the src from the attacker's element
- This causes the application to load and execute scripts from an attacker-controlled server
The attack is particularly effective because it does not require script injection directly—the attacker only needs to inject seemingly harmless HTML attributes that most sanitizers may overlook. For detailed technical analysis, see the Vite Security Advisory and the SCNPS research paper on DOM Clobbering.
Detection Methods for CVE-2024-45812
Indicators of Compromise
- Unexpected HTML elements with name="currentScript" or similar DOM-clobbering attribute patterns in user-generated content
- Network requests to external domains from pages using Vite-bundled scripts that should only load local assets
- JavaScript errors related to document.currentScript returning unexpected values or objects
- Evidence of script loading from domains not associated with the application's asset CDN
Detection Strategies
- Implement Content Security Policy (CSP) monitoring to detect script loading from unauthorized domains
- Deploy web application firewalls (WAF) with rules to detect suspicious name and id attributes in user input that could be used for DOM Clobbering
- Monitor client-side JavaScript errors for anomalies in document.currentScript behavior
- Conduct regular security scans of user-generated content for potential DOM Clobbering payloads
Monitoring Recommendations
- Enable detailed logging for script loading failures and CSP violations
- Set up alerts for network requests to unexpected external domains from web pages
- Implement automated scanning of user input for HTML attributes that could enable DOM Clobbering attacks
- Monitor for patterns consistent with XSS exploitation attempts following DOM Clobbering injection
How to Mitigate CVE-2024-45812
Immediate Actions Required
- Upgrade Vite to patched versions: 5.4.6, 5.3.6, 5.2.14, 4.5.5, or 3.2.11 depending on your version branch
- Review and enhance input sanitization to strip or encode name and id attributes from user-controlled HTML
- Implement strict Content Security Policy (CSP) headers to restrict script sources
- Audit existing user-generated content for potential DOM Clobbering payloads
Patch Information
Security patches have been released across all supported Vite version branches. The fix addresses the unsafe reliance on document.currentScript by implementing proper validation. Organizations should upgrade to the following minimum versions:
| Version Branch | Patched Version |
|---|---|
| 5.4.x | 5.4.6 |
| 5.3.x | 5.3.6 |
| 5.2.x | 5.2.14 |
| 4.5.x | 4.5.5 |
| 3.2.x | 3.2.11 |
For detailed changes, see the GitHub commit.
Workarounds
- According to the security advisory, there are no known workarounds for this vulnerability—upgrading is the only complete remediation
- As a defense-in-depth measure, implement strict CSP headers with explicit script-src directives to limit script loading to trusted domains
- Enhance HTML sanitization to remove or encode name and id attributes from user-generated content
- Consider temporarily switching to ES module output format (es) if your application supports it, as this format is not affected
# Update Vite to the latest patched version
npm update vite
# Or specify a minimum version in package.json
npm install vite@^5.4.6
# Verify the installed version
npm list vite
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
