vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)

Severity:: Medium

Description

A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life.

Recommendation

No fix is available yet. Followings are affected versions:

>= 2.0.0, < 3.0.0

References

GHSA-g3ch-rx76-35fx
www.herodevs.com
CVE-2024-6783
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343
Bootstrap vulnerable to Cross-Site Scripting (XSS) - CVE-2018-14040
jQuery vulnerable to Cross-Site Scripting (XSS) - CVE-2011-4969

Tags:: npm; vue-template-compiler

Anything's wrong? Let us know Last updated on December 31, 2025