Skip to content

vue-i18n-9.2.2.tgz: 2 vulnerabilities (highest severity is: 8.2) #12

New issue
New issue
Open
Open
vue-i18n-9.2.2.tgz: 2 vulnerabilities (highest severity is: 8.2)#12
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Mar 9, 2025
Vulnerable Library - vue-i18n-9.2.2.tgz

Internationalization plugin for Vue.js

Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/vue-i18n/package.json

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (vue-i18n version) Remediation Possible**
CVE-2025-27597 High 8.2 vue-i18n-9.2.2.tgz Direct N/A
CVE-2025-53892 Medium 6.1 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-27597

Vulnerable Library - vue-i18n-9.2.2.tgz

Internationalization plugin for Vue.js

Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/vue-i18n/package.json

Dependency Hierarchy:

  • vue-i18n-9.2.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

Publish Date: 2025-03-07

URL: CVE-2025-27597

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2025-53892

Vulnerable Libraries - core-base-9.2.2.tgz, vue-i18n-9.2.2.tgz

core-base-9.2.2.tgz

@intlify/core-base

Library home page: https://registry.npmjs.org/@intlify/core-base/-/core-base-9.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@intlify/core-base/package.json

Dependency Hierarchy:

  • vue-i18n-9.2.2.tgz (Root Library)
    • core-base-9.2.2.tgz (Vulnerable Library)

vue-i18n-9.2.2.tgz

Internationalization plugin for Vue.js

Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/vue-i18n/package.json

Dependency Hierarchy:

  • vue-i18n-9.2.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as , if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

Publish Date: 2025-07-16

URL: CVE-2025-53892

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x8qp-wqqm-57ph

Release Date: 2025-07-16

Fix Resolution: vue-i18n - 11.1.10,vue-i18n - 10.0.8,petite-vue-i18n - 11.1.10,@intlify/core - 11.1.10,@intlify/vue-i18n-core - 10.0.8,@intlify/core - 9.14.5,@intlify/vue-i18n-core - 11.1.10,vue-i18n - 9.14.5,vue-i18n - 11.1.10,petite-vue-i18n - 10.0.8,vue-i18n - 10.0.8,@intlify/vue-i18n-core - 9.14.5,@intlify/core - 10.0.8,@intlify/core-base - 10.0.8,vue-i18n - 9.14.5,@intlify/core-base - 11.1.10,@intlify/core-base - 9.14.5

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions