CVE-2025-8083
Unknown Unknown - Not Provided
Prototype Pollution in Vuetify Preset Causes Server-Side Risks

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: HeroDevs

Description
The Preset configuration https://v2.vuetifyjs.com/en/features/presets  feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html  due to the internal 'mergeDeep' utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application's behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data. If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the whole server process. This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-8083
EUVD
EUVD-2025-203121
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vuetify vuetify *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability can lead to unauthorized access to data and denial of service, which may result in non-compliance with data protection regulations such as GDPR and HIPAA. Exploitation of the vulnerability could compromise the confidentiality, integrity, and availability of sensitive information, thereby affecting compliance with these standards.

Executive Summary

This vulnerability is a Prototype Pollution issue in the Preset configuration feature of Vuetify. It arises from the internal 'mergeDeep' utility function that merges options with defaults. An attacker can use a specially-crafted malicious preset to inject arbitrary properties into all JavaScript objects, which can alter the application's behavior in unintended ways.

Impact Analysis

The vulnerability can lead to a wide range of security issues including resource exhaustion or denial of service, and unauthorized access to data. If the application uses Server-Side Rendering (SSR), the entire server process could be affected, potentially compromising the whole server.

Mitigation Strategies

Since Vuetify version 2.x is End-of-Life and will not receive updates to address this issue, immediate mitigation steps include avoiding the use of the Preset configuration feature with untrusted input, disabling Server-Side Rendering (SSR) if possible to limit exposure, and considering upgrading to Vuetify 3.0.0-alpha.10 or later where this vulnerability is not present. Additionally, review application code to prevent merging of untrusted presets and apply strict input validation to prevent prototype pollution.

Detection Guidance

Detection of CVE-2025-8083 involves checking if your application uses a vulnerable version of Vuetify (>=2.2.0-beta.2 and <3.0.0-alpha.10) and monitoring for malicious payloads that exploit the mergeDeep function via specially crafted presets. Since the vulnerability can be triggered by a POST request to the Vuetify constructor containing a __proto__ property, you can inspect incoming POST requests for suspicious payloads attempting prototype pollution. Additionally, you can test for prototype pollution by creating a test script that initializes Vuetify with a malicious preset containing a __proto__ property and observing if new JavaScript objects are polluted. Specific commands are not provided in the resources, but you can use network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests and grep or jq to filter for payloads containing "__proto__". For example, using curl to send a test payload or node scripts to detect prototype pollution behavior can be helpful. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart