Skip to main content

CVE-2025-53892: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in intlify vue-i18n

Medium
VulnerabilityCVE-2025-53892cvecve-2025-53892cwe-79
Published: Wed Jul 16 2025 (07/16/2025, 13:42:09 UTC)
Source: CVE Database V5
Vendor/Project: intlify
Product: vue-i18n

Description

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

AI-Powered Analysis

AILast updated: 07/24/2025, 00:46:30 UTC

Technical Analysis

CVE-2025-53892 is a medium-severity DOM-based Cross-Site Scripting (XSS) vulnerability affecting the vue-i18n internationalization plugin for Vue.js, specifically versions >= 9.0.0 and < 9.14.5, >= 10.0.0 and < 10.0.8, and >= 11.0.0 and < 11.1.0. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). The plugin provides an option escapeParameterHtml: true, intended to escape interpolated parameters to prevent HTML/script injection. However, this protection is insufficient when translation strings containing minor HTML are rendered using Vue's v-html directive. Attackers can exploit this by injecting tag-based payloads such as <img src=x onerror=...>, which execute arbitrary JavaScript in the victim's browser. This occurs because the escapeParameterHtml option does not fully sanitize or neutralize certain HTML contexts, allowing execution of malicious scripts embedded in translation strings. The vulnerability does not require authentication but does require user interaction (e.g., visiting a maliciously crafted page). The CVSS 4.0 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and user interaction needed. No known exploits are currently reported in the wild. Fixed versions are 9.14.5, 10.0.8, and 11.1.0, which properly address the escaping issue. This vulnerability is particularly relevant for applications that use vue-i18n with dynamic translation strings rendered via v-html, a common pattern in internationalized Vue.js web applications.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to web applications that utilize the vue-i18n plugin for internationalization and render translation strings with embedded HTML via v-html. Successful exploitation could allow attackers to execute arbitrary JavaScript in users' browsers, leading to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. This can compromise confidentiality and integrity of user data and potentially damage organizational reputation. Given the widespread adoption of Vue.js in European web development, especially in sectors like e-commerce, finance, and government portals that require multilingual support, the impact could be significant. Additionally, GDPR compliance mandates protection of personal data, and exploitation of this vulnerability could lead to data breaches and regulatory penalties. The medium severity score indicates a moderate risk, but the ease of exploitation via crafted translation strings and the common use of v-html in dynamic content rendering increase the threat level. Organizations with public-facing web applications using affected versions should prioritize remediation to prevent exploitation.

Mitigation Recommendations

1. Upgrade vue-i18n to fixed versions 9.14.5, 10.0.8, or 11.1.0 as soon as possible to ensure the vulnerability is patched. 2. Avoid using the v-html directive to render translation strings containing user-controllable or dynamic content; instead, use safer rendering methods that do not interpret HTML. 3. Sanitize all translation strings and interpolated parameters rigorously before rendering, employing robust HTML sanitization libraries that whitelist safe tags and attributes. 4. Implement Content Security Policy (CSP) headers to restrict script execution and mitigate impact of potential XSS attacks. 5. Conduct thorough code reviews and security testing focusing on internationalization components and dynamic HTML rendering. 6. Educate development teams about secure usage patterns of vue-i18n and Vue.js directives to prevent unsafe HTML injection. 7. Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. 8. If immediate upgrade is not feasible, consider disabling escapeParameterHtml or avoid enabling it in contexts where v-html is used, to prevent false sense of security.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-11T19:05:23.825Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6877ad45a83201eaacdb7e3d

Added to database: 7/16/2025, 1:46:45 PM

Last enriched: 7/24/2025, 12:46:30 AM

Last updated: 8/21/2025, 1:57:32 PM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats