vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph)
- Severity:
- Medium
Description
The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.
Recommendation
Update the @intlify/vue-i18n-core package to the latest compatible version. Followings are version details:
Affected version(s): **>= 11.0.0, < 11.1.10 >= 10.0.0, < 10.0.8 >= 9.2.0, < 9.14.5** Patched version(s): **11.1.10 10.0.8 9.14.5**
References
Related Issues
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph) 4 - CVE-2025-53892
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph) 3 - CVE-2025-53892
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph) 2 - CVE-2025-53892
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - CVE-2025-53892
- Tags:
- npm
- @intlify/vue-i18n-core
Anything's wrong? Let us know Last updated on July 17, 2025