CVE-2025-53892
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-53892
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53892.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-53892
- Aliases
- Published
- 2025-07-16T13:42:09.383Z
- Modified
- 2025-12-05T10:19:36.213703Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Intlify Vue I18n's escapeParameterHtml does not prevent DOM-based XSS via tag attributes like onerror
- Details
-
Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53892.json", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53892.json
- https://github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7e
- https://github.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099
- https://github.com/intlify/vue-i18n/pull/2229
- https://github.com/intlify/vue-i18n/pull/2230
- https://github.com/intlify/vue-i18n/releases/tag/v10.0.8
- https://github.com/intlify/vue-i18n/releases/tag/v11.1.10
- https://github.com/intlify/vue-i18n/releases/tag/v9.14.5
- https://github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph
- https://nvd.nist.gov/vuln/detail/CVE-2025-53892
Affected packages
Git / github.com/intlify/vue-i18n
Affected ranges
Affected versions
v10.*
v10.0.0
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v11.*
v11.0.0
v11.0.1
v9.*
v9.0.0
v9.1.0
v9.1.1
v9.1.2
v9.1.3
v9.1.4
v9.1.5
v9.1.6
v9.10.0
v9.10.1
v9.10.2
v9.11.0
v9.11.1
v9.12.0
v9.12.1
v9.13.0
v9.13.1
v9.14.0
v9.14.1
v9.14.2
v9.14.3
v9.14.4
v9.2.0
v9.2.0-alpha.1
v9.2.0-alpha.2
v9.2.0-alpha.3
v9.2.0-alpha.4
v9.2.0-alpha.5
v9.2.0-alpha.6
v9.2.0-alpha.7
v9.2.0-alpha.8
v9.2.0-alpha.9
v9.2.0-beta.1
v9.2.0-beta.10
v9.2.0-beta.11
v9.2.0-beta.12
v9.2.0-beta.13
v9.2.0-beta.14
v9.2.0-beta.15
v9.2.0-beta.16
v9.2.0-beta.17
v9.2.0-beta.18
v9.2.0-beta.19
v9.2.0-beta.2
v9.2.0-beta.20
v9.2.0-beta.21
v9.2.0-beta.22
v9.2.0-beta.23
v9.2.0-beta.24
v9.2.0-beta.25
v9.2.0-beta.26
v9.2.0-beta.27
v9.2.0-beta.28
v9.2.0-beta.29
v9.2.0-beta.3
v9.2.0-beta.30
v9.2.0-beta.31
v9.2.0-beta.32
v9.2.0-beta.33
v9.2.0-beta.34
v9.2.0-beta.35
v9.2.0-beta.36
v9.2.0-beta.37
v9.2.0-beta.38
v9.2.0-beta.39
v9.2.0-beta.4
v9.2.0-beta.40
v9.2.0-beta.5
v9.2.0-beta.6
v9.2.0-beta.7
v9.2.0-beta.8
v9.2.0-beta.9
v9.2.1
v9.2.2
v9.3.0
v9.3.0-beta.0
v9.3.0-beta.1
v9.3.0-beta.10
v9.3.0-beta.11
v9.3.0-beta.12
v9.3.0-beta.13
v9.3.0-beta.14
v9.3.0-beta.15
v9.3.0-beta.16
v9.3.0-beta.17
v9.3.0-beta.18
v9.3.0-beta.19
v9.3.0-beta.2
v9.3.0-beta.20
v9.3.0-beta.21
v9.3.0-beta.22
v9.3.0-beta.23
v9.3.0-beta.24
v9.3.0-beta.25
v9.3.0-beta.26
v9.3.0-beta.27
v9.3.0-beta.3
v9.3.0-beta.4
v9.3.0-beta.5
v9.3.0-beta.6
v9.3.0-beta.7
v9.3.0-beta.8
v9.3.0-beta.9
v9.4.0
v9.4.1
v9.5.0
v9.6.0
v9.6.1
v9.6.2
v9.6.3
v9.6.4
v9.6.5
v9.7.0
v9.7.1
v9.8.0
v9.9.0
v9.9.1