CVE-2025-53892

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-53892
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-53892.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-53892
Aliases
Published
2025-07-16T14:15:28Z
Modified
2025-07-17T20:56:38.345901Z
Summary
[none]
Details

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

References

Affected packages

Git / github.com/intlify/vue-i18n

Affected ranges

Type
GIT
Repo
https://github.com/intlify/vue-i18n
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
30971026b77c5985a4ad3d56c665bf77c2536be7
Fixed
49f982443ab8fd94ecc427b265ce97d57df94d7e
Fixed
924596094e3123251efb3b0ae2d93bbd4a5742ce
Fixed
a47099619fb9b256e86341a8658ebe72e92ab099
Fixed
ecbbd3a22361ce644a9185828cb4161daf528223

Affected versions

v10.*

v10.0.0
v10.0.0-alpha.1
v10.0.0-alpha.2
v10.0.0-alpha.3
v10.0.0-alpha.4
v10.0.0-alpha.5
v10.0.0-beta.1
v10.0.0-beta.2
v10.0.0-beta.3
v10.0.0-beta.4
v10.0.0-beta.5
v10.0.0-beta.6
v10.0.0-rc.1
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7

v11.*

v11.0.0
v11.0.0-beta.0
v11.0.0-beta.1
v11.0.0-beta.2
v11.0.0-rc.1
v11.0.1
v11.1.0
v11.1.1
v11.1.2
v11.1.3
v11.1.4
v11.1.5
v11.1.6
v11.1.7
v11.1.8
v11.1.9

v9.*

v9.0.0
v9.0.0-alpha.0
v9.0.0-alpha.1
v9.0.0-alpha.10
v9.0.0-alpha.11
v9.0.0-alpha.12
v9.0.0-alpha.13
v9.0.0-alpha.14
v9.0.0-alpha.15
v9.0.0-alpha.16
v9.0.0-alpha.17
v9.0.0-alpha.2
v9.0.0-alpha.3
v9.0.0-alpha.4
v9.0.0-alpha.5
v9.0.0-alpha.6
v9.0.0-alpha.7
v9.0.0-alpha.8
v9.0.0-alpha.9
v9.0.0-beta.1
v9.0.0-beta.10
v9.0.0-beta.11
v9.0.0-beta.12
v9.0.0-beta.13
v9.0.0-beta.14
v9.0.0-beta.15
v9.0.0-beta.16
v9.0.0-beta.17
v9.0.0-beta.18
v9.0.0-beta.2
v9.0.0-beta.3
v9.0.0-beta.4
v9.0.0-beta.5
v9.0.0-beta.6
v9.0.0-beta.7
v9.0.0-beta.8
v9.0.0-beta.9
v9.0.0-rc.1
v9.0.0-rc.2
v9.0.0-rc.3
v9.0.0-rc.4
v9.0.0-rc.5
v9.0.0-rc.6
v9.0.0-rc.7
v9.0.0-rc.8
v9.0.0-rc.9
v9.1.0
v9.1.1
v9.1.2
v9.1.3
v9.1.4
v9.1.5
v9.1.6
v9.10.0
v9.10.1
v9.10.2
v9.11.0
v9.11.1
v9.12.0
v9.12.1
v9.13.0
v9.13.1
v9.14.0
v9.14.1
v9.14.2
v9.14.3
v9.14.4
v9.2.0
v9.2.0-alpha.1
v9.2.0-alpha.2
v9.2.0-alpha.3
v9.2.0-alpha.4
v9.2.0-alpha.5
v9.2.0-alpha.6
v9.2.0-alpha.7
v9.2.0-alpha.8
v9.2.0-alpha.9
v9.2.0-beta.1
v9.2.0-beta.10
v9.2.0-beta.11
v9.2.0-beta.12
v9.2.0-beta.13
v9.2.0-beta.14
v9.2.0-beta.15
v9.2.0-beta.16
v9.2.0-beta.17
v9.2.0-beta.18
v9.2.0-beta.19
v9.2.0-beta.2
v9.2.0-beta.20
v9.2.0-beta.21
v9.2.0-beta.22
v9.2.0-beta.23
v9.2.0-beta.24
v9.2.0-beta.25
v9.2.0-beta.26
v9.2.0-beta.27
v9.2.0-beta.28
v9.2.0-beta.29
v9.2.0-beta.3
v9.2.0-beta.30
v9.2.0-beta.31
v9.2.0-beta.32
v9.2.0-beta.33
v9.2.0-beta.34
v9.2.0-beta.35
v9.2.0-beta.36
v9.2.0-beta.37
v9.2.0-beta.38
v9.2.0-beta.39
v9.2.0-beta.4
v9.2.0-beta.40
v9.2.0-beta.5
v9.2.0-beta.6
v9.2.0-beta.7
v9.2.0-beta.8
v9.2.0-beta.9
v9.2.1
v9.2.2
v9.3.0
v9.3.0-beta.0
v9.3.0-beta.1
v9.3.0-beta.10
v9.3.0-beta.11
v9.3.0-beta.12
v9.3.0-beta.13
v9.3.0-beta.14
v9.3.0-beta.15
v9.3.0-beta.16
v9.3.0-beta.17
v9.3.0-beta.18
v9.3.0-beta.19
v9.3.0-beta.2
v9.3.0-beta.20
v9.3.0-beta.21
v9.3.0-beta.22
v9.3.0-beta.23
v9.3.0-beta.24
v9.3.0-beta.25
v9.3.0-beta.26
v9.3.0-beta.27
v9.3.0-beta.3
v9.3.0-beta.4
v9.3.0-beta.5
v9.3.0-beta.6
v9.3.0-beta.7
v9.3.0-beta.8
v9.3.0-beta.9
v9.4.0
v9.4.1
v9.5.0
v9.6.0
v9.6.1
v9.6.2
v9.6.3
v9.6.4
v9.6.5
v9.7.0
v9.7.1
v9.8.0
v9.9.0
v9.9.1