CVE-2025-8082
Cross-Site Scripting in Vuetify VDatePicker via Unsanitized HTML
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: HeroDevs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vuetify | vuetify | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper neutralization of the title date in the 'VDatePicker' component of Vuetify. It allows unsanitized HTML to be inserted into the page because the 'title-date-format' property can accept a user-created function whose output is assigned directly to the 'innerHTML' property of the title element without sanitization. This can lead to a Cross-Site Scripting (XSS) attack.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected web application, potentially leading to data theft, session hijacking, or other malicious actions that compromise the confidentiality, integrity, and availability of the application and its data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should avoid using Vuetify versions 2.x as they are End-of-Life and will not receive updates to fix this issue. Consider upgrading to Vuetify version 3.0.0 or later, where this vulnerability is not present. Additionally, review and sanitize any user-created functions assigned to the 'title-date-format' property in the VDatePicker component to prevent unsanitized HTML insertion.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the usage of the Vuetify VDatePicker component in your web application, specifically checking if the `titleDateFormat` prop is set to a user-defined function that returns unsanitized HTML assigned to the title element's innerHTML. Since it is a client-side vulnerability involving JavaScript injection, network detection is limited. You can detect exploitation attempts by monitoring for unusual or malicious JavaScript execution in the browser or by reviewing application source code for unsafe usage of the `titleDateFormat` prop. There are no specific network commands provided to detect this vulnerability. For testing, you can create a test Vue.js application with Vuetify 2.x and set the `title-date-format` prop to a function returning malicious HTML (e.g., an image tag with an onerror alert) to see if the script executes, indicating vulnerability. [1]