CVE-2025-53892
BaseFortify
Publication date: 2025-07-16
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intlify | vue-i18n | 10.0.8 |
| intlify | vue-i18n | 9.14.5 |
| intlify | vue-i18n | 11.1.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a DOM-based Cross-Site Scripting (XSS) issue in the Vue I18n plugin for Vue.js. The escapeParameterHtml: true option, which is supposed to prevent HTML/script injection by escaping interpolated parameters, fails to block certain tag-based payloads like <img src=x onerror=...> when the interpolated value is inserted inside an HTML context using v-html. This means that even with escapeParameterHtml enabled, malicious scripts can execute if a translation string includes minor HTML and is rendered via v-html in affected versions.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected web application, leading to potential theft of user data, session hijacking, or other malicious actions performed on behalf of the user. It compromises the security of the application by enabling DOM-based XSS attacks, which can affect user trust and application integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Vue I18n to version 9.14.5, 10.0.8, or 11.1.0 or later, as these versions contain the fix for the issue. Avoid using the escapeParameterHtml: true option with v-html rendering of translation strings that include HTML until the upgrade is applied.