vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)

Severity:: Medium

Description

A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life.

Recommendation

No fix is available yet. Followings are affected versions:

>= 2.0.0, < 3.0.0

References

GHSA-g3ch-rx76-35fx
www.herodevs.com
CVE-2024-6783
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343
Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter - CVE-2020-19697
Stored Cross-site Scripting (XSS) in excalidraw's web embed component - CVE-2024-32472
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910

Tags:: npm; vue-template-compiler

Anything's wrong? Let us know Last updated on December 31, 2025