vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)

Severity:: Medium

Description

A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life.

Recommendation

No fix is available yet. Followings are affected versions:

>= 2.0.0, < 3.0.0

References

GHSA-g3ch-rx76-35fx
www.herodevs.com
CVE-2024-6783
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes - CVE-2024-6485
Froala WYSIWYG editor allows cross-site scripting (XSS) - CVE-2024-51434
Cross-site Scripting (XSS) in serialize-javascript - CVE-2024-11831

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

How do hackers hack websites?

Tags:: npm; vue-template-compiler

Anything's wrong? Let us know Last updated on December 31, 2025