vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph)
- Severity:
- Medium
Description
The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.
Recommendation
Update the @intlify/vue-i18n-core package to the latest compatible version. Followings are version details:
Affected version(s): **>= 11.0.0, < 11.1.10 >= 10.0.0, < 10.0.8 >= 9.2.0, < 9.14.5** Patched version(s): **11.1.10 10.0.8 9.14.5**
References
Related Issues
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) - CVE-2025-27597
- vue-i18n has cross-site scripting vulnerability with prototype pollution (GHSA-9r9m-ffp6-9x4v) - CVE-2024-52809
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) - CVE-2024-52810
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- @intlify/vue-i18n-core
Anything's wrong? Let us know Last updated on July 17, 2025