Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 5

Severity:: High

Description

Vulnerability type: Prototype Pollution

Vulnerability Location(s):

Description:

The latest version of @intlify/message-resolver (9.1) and @intlify/vue-i18n-core (9.2 or later), (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) handleFlatJson.

Recommendation

Update the @intlify/message-resolver package to the latest compatible version. Followings are version details:

Affected version(s): >= 9.1.0, < 9.1.11
Patched version(s): 9.1.11

References

GHSA-p2ph-7g93-hw3m
CVE-2025-27597
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
create-choo-app3 is vulnerable to Command Injection via the devInstall function - CVE-2022-25855
Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 4 - CVE-2025-27597
Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 3 - CVE-2025-27597

Tags:: npm; @intlify/message-resolver

Anything's wrong? Let us know Last updated on March 10, 2025