vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
- Severity:
- Medium
Description
A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 2.0.0, < 3.0.0
References
Related Issues
- vue-i18n has cross-site scripting vulnerability with prototype pollution - @intlify/vue-i18n-core - CVE-2024-52809
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343
You might also like:
- Tags:
- npm
- vue-template-compiler
Anything's wrong? Let us know Last updated on December 31, 2025


