-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| vue-i18n | npm | >= 9.0.0, < 9.14.5 | 9.14.5 |
| vue-i18n | npm | >= 10.0.0, < 10.0.8 | 10.0.8 |
| vue-i18n | npm | >= 11.0.0, < 11.1.10 | 11.1.10 |
| @intlify/core | npm | >= 9.0.0, < 9.14.5 | 9.14.5 |
| @intlify/core | npm | >= 10.0.0, < 10.0.8 | 10.0.8 |
| @intlify/core | npm | >= 11.0.0, < 11.1.10 | 11.1.10 |
| @intlify/core-base | npm | >= 9.0.0, < 9.14.5 | 9.14.5 |
| @intlify/core-base | npm | >= 10.0.0, < 10.0.8 | 10.0.8 |
| @intlify/core-base | npm | >= 11.0.0, < 11.1.10 | 11.1.10 |
| @intlify/vue-i18n-core | npm | >= 9.2.0, < 9.14.5 | 9.14.5 |
| @intlify/vue-i18n-core | npm | >= 10.0.0, < 10.0.8 | 10.0.8 |
| @intlify/vue-i18n-core | npm | >= 11.0.0, < 11.1.10 | 11.1.10 |
| petite-vue-i18n | npm | >= 10.0.0, < 10.0.8 | 10.0.8 |
| petite-vue-i18n | npm | >= 11.0.0, < 11.1.10 | 11.1.10 |
Miggo AIRoot Cause AnalysisThe vulnerability is a DOM-based Cross-Site Scripting (XSS) issue in vue-i18n. The root cause is the incomplete sanitization of translated strings, even when the escapeParameterHtml: true security feature is enabled. This option was intended to prevent XSS by escaping HTML in parameters, but it failed to properly sanitize contexts involving HTML tag attributes.
The investigation of the provided patches reveals two key functions contributing to the vulnerability:
translate in packages/core-base/src/translate.ts: This is the primary function responsible for internationalization. It takes a message key and parameters, and returns a translated string. The vulnerability lies in the fact that this function, prior to the patch, did not perform any sanitization on the final output string. If a translation string contained an HTML structure like <img src=x onerror="{payload}">, the interpolated payload was not sanitized in a way that would prevent the onerror attribute from executing, leading to XSS. The fix was to introduce a call to a new sanitizeTranslatedHtml function just before returning the final string.
escapeHtml in packages/shared/src/utils.ts: This utility function was responsible for escaping the parameters before they were interpolated. However, it only escaped a basic set of HTML characters (<, >, ", '). It crucially missed characters like = and /, which allowed attackers to inject and construct malicious attributes and URLs. The patch extends this function to escape these additional characters, providing a more robust defense-in-depth.
In summary, an attacker could exploit this by providing a malicious string as a parameter to a translation that is then rendered with v-html. The translate function would process it, and the inadequate escapeHtml would fail to neutralize the payload, resulting in executable JavaScript in the browser. The fix involves both improving the parameter escaping and adding a final sanitization step for the entire translated HTML string.