CVE-2025-8082 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting Vuetify versions from 2.0.0 up to but not including 3.0.0. The vulnerability stems from the 'VDatePicker' component's 'title-date-format' property, which accepts a user-defined function whose output is directly assigned to the innerHTML of the title element without proper sanitization. This improper neutralization allows an attacker to inject malicious HTML or JavaScript code into the web page, potentially executing arbitrary scripts in the context of the victim's browser. The vulnerability requires no authentication but does require user interaction, such as clicking a crafted link or visiting a malicious page. The CVSS v3.1 base score is 6.3 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability at a low level. Notably, Vuetify 2.x is end-of-life and will not receive patches, meaning vulnerable applications must either upgrade to Vuetify 3 or apply alternative mitigations. No public exploits are known at this time, but the vulnerability poses a risk to any web application using the affected Vuetify versions, especially those exposing the VDatePicker component with user-controllable 'title-date-format' functions.

For European organizations, this vulnerability can lead to unauthorized script execution in users' browsers, resulting in session hijacking, data theft, or defacement of web applications. Although the confidentiality, integrity, and availability impacts are rated low, the exploitation can facilitate phishing attacks or further compromise user accounts. Organizations relying on Vuetify 2.x in customer-facing or internal web applications are at risk, especially if these applications handle sensitive data or authentication tokens. The lack of vendor patches due to end-of-life status increases the risk exposure. Additionally, regulatory frameworks such as GDPR require protection of user data, and exploitation of this vulnerability could lead to data breaches and associated compliance penalties. The threat is particularly relevant for sectors with high web application usage, including finance, e-commerce, and public services across Europe.

Since Vuetify 2.x is end-of-life and no official patches will be released, the primary mitigation is to upgrade affected applications to Vuetify 3, which addresses this vulnerability. If immediate upgrade is not feasible, organizations should implement strict input validation and sanitization on any user-supplied data passed to the 'title-date-format' property or avoid using custom functions that generate HTML for this property. Employing a robust Content Security Policy (CSP) that restricts script execution and disallows inline scripts can reduce the impact of XSS attacks. Additionally, web application firewalls (WAFs) can be configured to detect and block malicious payloads targeting this vulnerability. Regular security testing, including automated scanning and manual code review focusing on the usage of VDatePicker and its properties, is recommended. Educating developers about safe usage patterns and avoiding direct innerHTML assignments without sanitization is critical. Monitoring for suspicious activity and user reports of unusual behavior can help detect exploitation attempts.