Skip to content

fix(deps): update dependency vue-i18n to v9.14.5 [security]#64

Merged
a-klos merged 1 commit into
deps-mainfrom
renovate/npm-vue-i18n-vulnerability
Jul 31, 2025
Merged

fix(deps): update dependency vue-i18n to v9.14.5 [security]#64
a-klos merged 1 commit into
deps-mainfrom
renovate/npm-vue-i18n-vulnerability

Conversation

@a-klos
Copy link
Copy Markdown
Member

@a-klos a-klos commented Jul 31, 2025

This PR contains the following updates:

Package Change Age Confidence
vue-i18n (source) 9.14.4 -> 9.14.5 age confidence

GitHub Vulnerability Alerts

CVE-2025-53892

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>';
Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p>
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Release Notes

intlify/vue-i18n (vue-i18n)

v9.14.5

Compare Source

What's Changed

🔒 Security Fixes

Full Changelog: intlify/vue-i18n@v9.14.4...v9.14.5

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@a-klos a-klos merged commit 2cb6c54 into deps-main Jul 31, 2025
2 checks passed
@a-klos a-klos deleted the renovate/npm-vue-i18n-vulnerability branch July 31, 2025 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

nodejs renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@a-klos @renovate-bot