logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-53892 vue-i18n

Package

Manager: npm
Name: vue-i18n
Vulnerable Version: >=9.0.0 <9.14.5 || >=10.0.0 <10.0.8 || >=11.0.0 <11.1.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00108 pctl0.29644

Details

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes ### Summary The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as `<img src=x onerror=...>`, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. ### Details When escapeParameterHtml: true is enabled, it correctly escapes common injection points. However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via: `<img src=x onerror=alert(1)> ` ### PoC In your Vue I18n configuration: ``` const i18n = createI18n({ escapeParameterHtml: true, messages: { en: { vulnerable: 'Caution: <img src=x onerror="{payload}">' } } }); ``` Use this interpolated payload: `const payload = '<script>alert("xss")</script>';` Render the translation using v-html (even not using v-html): `<p v-html="$t('vulnerable', { payload })"></p> ` Expected: escaped content should render as text, not execute. Actual: script executes in some environments (or the payload is partially parsed as HTML). ### Impact This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Metadata

Created: 2025-07-16T19:32:48Z
Modified: 2025-07-17T20:58:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-x8qp-wqqm-57ph/GHSA-x8qp-wqqm-57ph.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-x8qp-wqqm-57ph
Finding: F008
Auto approve: 1