vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph) 4
- Severity:
- Medium
Description
The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.
Recommendation
Update the vue-i18n package to the latest compatible version. Followings are version details:
Affected version(s): **>= 11.0.0, < 11.1.10 >= 10.0.0, < 10.0.8 >= 9.0.0, < 9.14.5** Patched version(s): **11.1.10 10.0.8 9.14.5**
References
Related Issues
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph) 3 - CVE-2025-53892
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 4 - CVE-2025-27597
- Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 2 - CVE-2024-52810
- Tags:
- npm
- vue-i18n
Anything's wrong? Let us know Last updated on July 17, 2025