📂 Vulnerable Library - vue-i18n-9.2.2.tgz
Internationalization plugin for Vue.js
Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2025-27597 |
🔴 High |
8.2 |
Not Defined |
< 1% |
vue-i18n-9.2.2.tgz |
Direct |
N/A |
❌ |
 Reachable |
| CVE-2025-53892 |
🟠 Medium |
6.1 |
Not Defined |
< 1% |
vue-i18n-9.2.2.tgz |
Direct |
N/A |
❌ |
Reachable |
| CVE-2025-53892 |
🟠 Medium |
6.1 |
Not Defined |
< 1% |
core-base-9.2.2.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2024-6783 |
🟠 Medium |
4.8 |
Not Defined |
< 1% |
vue-2.7.14.tgz |
Direct |
no_fix |
✅ |
Reachable |
| CVE-2024-9506 |
🟡 Low |
3.7 |
Not Defined |
< 1% |
vue-2.7.14.tgz |
Direct |
vue - 3.0.0 |
✅ |
Reachable |
Details
🔴CVE-2025-27597
Vulnerable Library - vue-i18n-9.2.2.tgz
Internationalization plugin for Vue.js
Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
- ❌ vue-i18n-9.2.2.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/src/app/adapter/view/vue.adapter.ts (Application)
- vue-i18n-9.2.2/index.js (Extension)
-> ❌ vue-i18n-9.2.2/dist/vue-i18n.cjs.prod.js (Vulnerable Component)
Vulnerability Details
Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.
Publish Date: Mar 07, 2025 03:51 PM
URL: CVE-2025-27597
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-53892
Vulnerable Library - vue-i18n-9.2.2.tgz
Internationalization plugin for Vue.js
Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
- ❌ vue-i18n-9.2.2.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/src/app/adapter/view/vue.adapter.ts (Application)
- vue-i18n-9.2.2/index.js (Extension)
-> ❌ vue-i18n-9.2.2/dist/vue-i18n.cjs.js (Vulnerable Component)
Vulnerability Details
Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as 
, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.
Publish Date: Jul 16, 2025 01:42 PM
URL: CVE-2025-53892
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-53892
Vulnerable Library - core-base-9.2.2.tgz
@intlify/core-base
Library home page: https://registry.npmjs.org/@intlify/core-base/-/core-base-9.2.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
- vue-i18n-9.2.2.tgz (Root Library)
- ❌ core-base-9.2.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as , if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.
Publish Date: Jul 16, 2025 01:42 PM
URL: CVE-2025-53892
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-6783
Vulnerable Library - vue-2.7.14.tgz
Reactive, component-oriented view layer for modern web interfaces.
Library home page: https://registry.npmjs.org/vue/-/vue-2.7.14.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
vuex-3.6.2.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
vue-3.3.4.tgz (Root Library)
- server-renderer-3.3.4.tgz
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
❌ vue-2.7.14.tgz (Vulnerable Library)
-
test-utils-1.3.6.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
vue-router-4.2.2.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
vue-i18n-9.2.2.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
compat-3.3.4.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
vuex-4.1.0.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
test-utils-2.3.2.tgz (Root Library)
- server-renderer-3.3.4.tgz
- ❌ vue-2.7.14.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/src/viewRenderer.ts (Application)
-> ❌ vue-2.7.14/dist/vue.runtime.common.js (Vulnerable Component)
Vulnerability Details
A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as "Object.prototype.staticClass" or "Object.prototype.staticStyle" to execute arbitrary JavaScript code.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 23, 2024 03:05 PM
URL: CVE-2024-6783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.8
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6783
Release Date: Jul 23, 2024 03:05 PM
Fix Resolution : no_fix
🟡CVE-2024-9506
Vulnerable Library - vue-2.7.14.tgz
Reactive, component-oriented view layer for modern web interfaces.
Library home page: https://registry.npmjs.org/vue/-/vue-2.7.14.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
vuex-3.6.2.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
vue-3.3.4.tgz (Root Library)
- server-renderer-3.3.4.tgz
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
❌ vue-2.7.14.tgz (Vulnerable Library)
-
test-utils-1.3.6.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
vue-router-4.2.2.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
vue-i18n-9.2.2.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
compat-3.3.4.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
vuex-4.1.0.tgz (Root Library)
- ❌ vue-2.7.14.tgz (Vulnerable Library)
-
test-utils-2.3.2.tgz (Root Library)
- server-renderer-3.3.4.tgz
- ❌ vue-2.7.14.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/src/viewRenderer.ts (Application)
- vue-2.7.14/dist/vue.runtime.common.js (Extension)
-> ❌ vue-2.7.14/dist/vue.runtime.common.prod.js (Vulnerable Component)
Vulnerability Details
Improper regular expression in Vue's parseHTML function leads to a potential regular expression denial of service vulnerability.
Publish Date: Oct 15, 2024 03:40 PM
URL: CVE-2024-9506
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 3.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j4c-8p2g-v4jx
Release Date: Oct 15, 2024 03:40 PM
Fix Resolution : vue - 3.0.0
📂 Vulnerable Library - vue-i18n-9.2.2.tgz
Internationalization plugin for Vue.js
Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
Details
🔴CVE-2025-27597
Vulnerable Library - vue-i18n-9.2.2.tgz
Internationalization plugin for Vue.js
Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.
Publish Date: Mar 07, 2025 03:51 PM
URL: CVE-2025-27597
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-53892
Vulnerable Library - vue-i18n-9.2.2.tgz
Internationalization plugin for Vue.js
Library home page: https://registry.npmjs.org/vue-i18n/-/vue-i18n-9.2.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as
, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.
Publish Date: Jul 16, 2025 01:42 PM
URL: CVE-2025-53892
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-53892
Vulnerable Library - core-base-9.2.2.tgz
@intlify/core-base
Library home page: https://registry.npmjs.org/@intlify/core-base/-/core-base-9.2.2.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as
, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.
Publish Date: Jul 16, 2025 01:42 PM
URL: CVE-2025-53892
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-6783
Vulnerable Library - vue-2.7.14.tgz
Reactive, component-oriented view layer for modern web interfaces.
Library home page: https://registry.npmjs.org/vue/-/vue-2.7.14.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
vuex-3.6.2.tgz (Root Library)
vue-3.3.4.tgz (Root Library)
❌ vue-2.7.14.tgz (Vulnerable Library)
test-utils-1.3.6.tgz (Root Library)
vue-router-4.2.2.tgz (Root Library)
vue-i18n-9.2.2.tgz (Root Library)
compat-3.3.4.tgz (Root Library)
vuex-4.1.0.tgz (Root Library)
test-utils-2.3.2.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as "Object.prototype.staticClass" or "Object.prototype.staticStyle" to execute arbitrary JavaScript code.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 23, 2024 03:05 PM
URL: CVE-2024-6783
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.8
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6783
Release Date: Jul 23, 2024 03:05 PM
Fix Resolution : no_fix
🟡CVE-2024-9506
Vulnerable Library - vue-2.7.14.tgz
Reactive, component-oriented view layer for modern web interfaces.
Library home page: https://registry.npmjs.org/vue/-/vue-2.7.14.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
vuex-3.6.2.tgz (Root Library)
vue-3.3.4.tgz (Root Library)
❌ vue-2.7.14.tgz (Vulnerable Library)
test-utils-1.3.6.tgz (Root Library)
vue-router-4.2.2.tgz (Root Library)
vue-i18n-9.2.2.tgz (Root Library)
compat-3.3.4.tgz (Root Library)
vuex-4.1.0.tgz (Root Library)
test-utils-2.3.2.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Improper regular expression in Vue's parseHTML function leads to a potential regular expression denial of service vulnerability.
Publish Date: Oct 15, 2024 03:40 PM
URL: CVE-2024-9506
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 3.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j4c-8p2g-v4jx
Release Date: Oct 15, 2024 03:40 PM
Fix Resolution : vue - 3.0.0