CVE-2025-27597

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-27597
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27597.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27597
Aliases
Related
Published
2025-03-07T16:15:39Z
Modified
2025-03-08T01:55:03.462824Z
Summary
[none]
Details

Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

References

Affected packages

Git / github.com/intlify/vue-i18n

Affected ranges

Type
GIT
Repo
https://github.com/intlify/vue-i18n
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4bb6eacda7fc2cde5687549afa0efb27ca40862a

Affected versions

v10.*

v10.0.0
v10.0.0-alpha.1
v10.0.0-alpha.2
v10.0.0-alpha.3
v10.0.0-alpha.4
v10.0.0-alpha.5
v10.0.0-beta.1
v10.0.0-beta.2
v10.0.0-beta.3
v10.0.0-beta.4
v10.0.0-beta.5
v10.0.0-beta.6
v10.0.0-rc.1
v10.0.1
v10.0.2
v10.0.3
v10.0.4

v11.*

v11.0.0
v11.0.0-beta.0
v11.0.0-beta.1
v11.0.0-beta.2
v11.0.0-rc.1
v11.0.1

v9.*

v9.0.0
v9.0.0-alpha.0
v9.0.0-alpha.1
v9.0.0-alpha.10
v9.0.0-alpha.11
v9.0.0-alpha.12
v9.0.0-alpha.13
v9.0.0-alpha.14
v9.0.0-alpha.15
v9.0.0-alpha.16
v9.0.0-alpha.17
v9.0.0-alpha.2
v9.0.0-alpha.3
v9.0.0-alpha.4
v9.0.0-alpha.5
v9.0.0-alpha.6
v9.0.0-alpha.7
v9.0.0-alpha.8
v9.0.0-alpha.9
v9.0.0-beta.1
v9.0.0-beta.10
v9.0.0-beta.11
v9.0.0-beta.12
v9.0.0-beta.13
v9.0.0-beta.14
v9.0.0-beta.15
v9.0.0-beta.16
v9.0.0-beta.17
v9.0.0-beta.18
v9.0.0-beta.2
v9.0.0-beta.3
v9.0.0-beta.4
v9.0.0-beta.5
v9.0.0-beta.6
v9.0.0-beta.7
v9.0.0-beta.8
v9.0.0-beta.9
v9.0.0-rc.1
v9.0.0-rc.2
v9.0.0-rc.3
v9.0.0-rc.4
v9.0.0-rc.5
v9.0.0-rc.6
v9.0.0-rc.7
v9.0.0-rc.8
v9.0.0-rc.9
v9.1.0
v9.1.1
v9.1.2
v9.1.3
v9.1.4
v9.1.5
v9.1.6
v9.10.0
v9.10.1
v9.10.2
v9.11.0
v9.11.1
v9.12.0
v9.12.1
v9.13.0
v9.13.1
v9.2.0
v9.2.0-alpha.1
v9.2.0-alpha.2
v9.2.0-alpha.3
v9.2.0-alpha.4
v9.2.0-alpha.5
v9.2.0-alpha.6
v9.2.0-alpha.7
v9.2.0-alpha.8
v9.2.0-alpha.9
v9.2.0-beta.1
v9.2.0-beta.10
v9.2.0-beta.11
v9.2.0-beta.12
v9.2.0-beta.13
v9.2.0-beta.14
v9.2.0-beta.15
v9.2.0-beta.16
v9.2.0-beta.17
v9.2.0-beta.18
v9.2.0-beta.19
v9.2.0-beta.2
v9.2.0-beta.20
v9.2.0-beta.21
v9.2.0-beta.22
v9.2.0-beta.23
v9.2.0-beta.24
v9.2.0-beta.25
v9.2.0-beta.26
v9.2.0-beta.27
v9.2.0-beta.28
v9.2.0-beta.29
v9.2.0-beta.3
v9.2.0-beta.30
v9.2.0-beta.31
v9.2.0-beta.32
v9.2.0-beta.33
v9.2.0-beta.34
v9.2.0-beta.35
v9.2.0-beta.36
v9.2.0-beta.37
v9.2.0-beta.38
v9.2.0-beta.39
v9.2.0-beta.4
v9.2.0-beta.40
v9.2.0-beta.5
v9.2.0-beta.6
v9.2.0-beta.7
v9.2.0-beta.8
v9.2.0-beta.9
v9.2.1
v9.2.2
v9.3.0
v9.3.0-beta.0
v9.3.0-beta.1
v9.3.0-beta.10
v9.3.0-beta.11
v9.3.0-beta.12
v9.3.0-beta.13
v9.3.0-beta.14
v9.3.0-beta.15
v9.3.0-beta.16
v9.3.0-beta.17
v9.3.0-beta.18
v9.3.0-beta.19
v9.3.0-beta.2
v9.3.0-beta.20
v9.3.0-beta.21
v9.3.0-beta.22
v9.3.0-beta.23
v9.3.0-beta.24
v9.3.0-beta.25
v9.3.0-beta.26
v9.3.0-beta.27
v9.3.0-beta.3
v9.3.0-beta.4
v9.3.0-beta.5
v9.3.0-beta.6
v9.3.0-beta.7
v9.3.0-beta.8
v9.3.0-beta.9
v9.4.0
v9.4.1
v9.5.0
v9.6.0
v9.6.1
v9.6.2
v9.6.3
v9.6.4
v9.6.5
v9.7.0
v9.7.1
v9.8.0
v9.9.0
v9.9.1