## Vite Build Tool Patches Critical DOM Clobbering Flaw Enabling XSS Attacks
The Vite development build tool has released version 6.0.0, addressing a critical DOM Clobbering vulnerability that could allow cross-site scripting (XSS) attacks through specially crafted scripts in Vite-bundled output. The security flaw, tracked as CVE-2024-45812 and documented in GitHub Advisory GHSA-64vr-g452-qvp3, was discovered in Vite versions prior to the major 6.x release. The vulnerability specifically resides in how Vite handles DOM clobbering gadgets within bundled scripts, creating a potential attack vector for malicious actors to inject and execute arbitrary JavaScript in victim browsers.

The issue was identified through automated dependency management tooling, with the security update upgrading Vite from version 5.2.6 to the patched 6.0.0 release. The Renovate bot flagged the change with elevated merge confidence metrics, signaling the critical nature of the patch. DOM Clobbering attacks exploit browser quirks where HTML elements with specific ID attributes override DOM properties, allowing attackers to hijack references and potentially execute scripts when their crafted elements interact with application logic expecting standard objects or functions.

Developers and security teams using Vite in their build pipelines should immediately verify whether their projects consume vulnerable versions of the bundler, particularly those handling user-generated content or external scripts. The vulnerability affects the output of Vite's bundling process, meaning both server-side and client-side applications using Vite-compiled assets may be exposed. Organizations should audit their dependency trees, apply the version 6.0.0 update, and review client-side code paths that process untrusted DOM references. Security teams treating this as an evergreen concern given the widespread adoption of Vite in modern JavaScript development ecosystems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vite, dom-clobbering, xss, cve-2024-45812, security-patch
- **Credibility**: unverified
- **Published**: 2026-05-12 13:48:30
- **ID**: 82235
- **URL**: https://whisperx.ai/en/intel/82235