CVE-2025-8082
Unknown Unknown - Not Provided
Cross-Site Scripting in Vuetify VDatePicker via Unsanitized HTML

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: HeroDevs

Description
Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss  attack. The vulnerability occurs because the 'title-date-format' property of the 'VDatePicker' can accept a user created function and assign its output to the 'innerHTML' property of the title element without sanitization. This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-8082
EUVD
EUVD-2025-203124
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vuetify vuetify 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by inspecting the usage of the Vuetify VDatePicker component in your web application, specifically checking if the `titleDateFormat` prop is set to a user-defined function that returns unsanitized HTML assigned to the title element's innerHTML. Since it is a client-side vulnerability involving JavaScript injection, network detection is limited. You can detect exploitation attempts by monitoring for unusual or malicious JavaScript execution in the browser or by reviewing application source code for unsafe usage of the `titleDateFormat` prop. There are no specific network commands provided to detect this vulnerability. For testing, you can create a test Vue.js application with Vuetify 2.x and set the `title-date-format` prop to a function returning malicious HTML (e.g., an image tag with an onerror alert) to see if the script executes, indicating vulnerability. [1]

Executive Summary

This vulnerability is an improper neutralization of the title date in the 'VDatePicker' component of Vuetify. It allows unsanitized HTML to be inserted into the page because the 'title-date-format' property can accept a user-created function whose output is assigned directly to the 'innerHTML' property of the title element without sanitization. This can lead to a Cross-Site Scripting (XSS) attack.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected web application, potentially leading to data theft, session hijacking, or other malicious actions that compromise the confidentiality, integrity, and availability of the application and its data.

Mitigation Strategies

To mitigate this vulnerability, you should avoid using Vuetify versions 2.x as they are End-of-Life and will not receive updates to fix this issue. Consider upgrading to Vuetify version 3.0.0 or later, where this vulnerability is not present. Additionally, review and sanitize any user-created functions assigned to the 'title-date-format' property in the VDatePicker component to prevent unsanitized HTML insertion.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart