How severe is CVE-2024-45812?

CVE-2024-45812 has a CVSS score of 6.4/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by CVE-2024-45812?

CVE-2024-45812 affects the following packages: vite (npm), vite (npm), vite (npm), vite (npm), vite (npm), vite (npm). Ecosystems affected: npm.

How do I fix CVE-2024-45812?

Update vite to 5.4.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms CVE-2024-45812 is resolved across your whole dependency graph.

How do I detect CVE-2024-45812 in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for vite. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate CVE-2024-45812 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against CVE-2024-45812?

O3 pinpoints whether CVE-2024-45812 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is CVE-2024-45812 actively exploited in the wild?

No public exploit code has been indexed for CVE-2024-45812 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for CVE-2024-45812?

CVE-2024-45812 has an EPSS (Exploit Prediction Scoring System) score of 0.6%, placing it in the 44th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

When was CVE-2024-45812 published, and has it been updated?

CVE-2024-45812 was published on September 17, 2024 and was last updated on April 10, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

CVE-2024-45812

MEDIUM

DOM Clobbering gadget found in vite bundled scripts that leads to XSS in Vite

Also known asGHSA-64vr-g452-qvp3

Published

Sep 17, 2024

Updated

Apr 10, 2026

Affected

6 pkgs

Patched

6 / 6

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.6%probability of exploitation in next 30 days

Lower Risk44th percentile+0.35%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

6 pkgs affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

vitenpm

142.4Mdownloads / week

Description

Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript. However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Packages

6 total 6 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`vite`	≥ 5.4.0&&< 5.4.6	5.4.6
📦npm	`vite`	≥ 5.3.0&&< 5.3.6	5.3.6
📦npm	`vite`	≥ 5.2.0&&< 5.2.14	5.2.14
📦npm	`vite`	≥ 4.0.0&&< 4.5.4	4.5.4
📦npm	`vite`	all versions	3.2.11
📦npm	`vite`	≥ 5.0.0&&< 5.1.8	5.1.8

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for vite. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update vite to 5.4.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms CVE-2024-45812 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether CVE-2024-45812 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to CVE-2024-45812. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverage

O3 Security · Impact-Aware SCA

Is CVE-2024-45812 in your dependencies?

O3 detects CVE-2024-45812 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works