Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Intlify
  • Vue-i18n

No data.

No data.

References
Link Providers
https://github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7e cve-icon cve-icon
https://github.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099 cve-icon cve-icon
https://github.com/intlify/vue-i18n/pull/2229 cve-icon cve-icon
https://github.com/intlify/vue-i18n/pull/2230 cve-icon cve-icon
https://github.com/intlify/vue-i18n/releases/tag/v10.0.8 cve-icon cve-icon
https://github.com/intlify/vue-i18n/releases/tag/v11.1.10 cve-icon cve-icon
https://github.com/intlify/vue-i18n/releases/tag/v9.14.5 cve-icon cve-icon
https://github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph cve-icon cve-icon cve-icon
History

Tue, 22 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Description Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.
Title Intlify Vue I18n's escapeParameterHtml does not prevent DOM-based XSS via tag attributes like onerror
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-07-16T13:42:09.383Z

Updated: 2025-07-22T14:58:34.382Z

Reserved: 2025-07-11T19:05:23.825Z

Link: CVE-2025-53892

cve-icon Vulnrichment

Updated: 2025-07-22T14:57:58.777Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-16T14:15:28.357

Modified: 2025-07-22T15:15:37.397

Link: CVE-2025-53892

cve-icon Redhat

No data.