4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-5897

GHSA ID

GHSA-79vf-hf9f-j9q8

EPSS Score

0.11731%

CWE

CWE-400

Published

6/9/2025

Updated

6/9/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-5897

CVE-2025-5897: @vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability

A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-5897

GHSA ID

GHSA-79vf-hf9f-j9q8

EPSS Score

0.11731%

CWE

CWE-400

Published

6/9/2025

Updated

6/9/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@vue/cli-plugin-pwa	npm	<= 5.0.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the HtmlPwaPlugin.js file, specifically within the HtmlPwaPlugin class. The apply method of this class registers a callback function that is executed during the webpack compilation process. This callback uses String.prototype.replace with a regular expression to modify the HTML content. The original regular expression /<link rel=\"icon\"[^>]+>/ was susceptible to ReDoS attacks. An attacker could provide a malicious HTML string that causes the regex engine to enter a state of catastrophic backtracking, leading to excessive CPU consumption and a denial of service. The patch d7eb1fdfff4f71f9d7ef7a20a88f42ca582ebfca mitigates this by changing the regex to /<link rel=\"icon\"(?!<link rel=\"icon\")[^>]+>/, which prevents the backtracking issue. The apply method is the entry point for this vulnerable logic, as it sets up the callback containing the problematic regex execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in vu*js vu*-*li up to *.*.*. It **s ***n r*t** *s pro*l*m*ti*. T*is issu* *****ts t** *un*tion *tmlPw*Plu*in o* t** *il* p**k***s/@vu*/*li-plu*in-pw*/li*/*tmlPw*Plu*in.js o* t** *ompon*nt M*rk*own *o** **n*l*r. T** m*nipul*

Reasoning

T** vuln*r**ility li*s in t** `*tmlPw*Plu*in.js` *il*, sp**i*i**lly wit*in t** `*tmlPw*Plu*in` *l*ss. T** `*pply` m*t*o* o* t*is *l*ss r**ist*rs * **ll***k *un*tion t**t is *x**ut** *urin* t** w**p**k *ompil*tion pro**ss. T*is **ll***k us*s `Strin*.p

4.3

Basic Information

Concerned about an active attack path?

CVE-2025-5897: @vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI