Description

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

INFO

Published Date :

2025-07-16T13:42:09.383Z

Last Modified :

2025-07-16T13:42:09.383Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-53892 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-53892.

URL Resource
https://github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7e cve-icon cve-icon
https://github.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099 cve-icon cve-icon
https://github.com/intlify/vue-i18n/pull/2229 cve-icon cve-icon
https://github.com/intlify/vue-i18n/pull/2230 cve-icon cve-icon
https://github.com/intlify/vue-i18n/releases/tag/v10.0.8 cve-icon cve-icon
https://github.com/intlify/vue-i18n/releases/tag/v11.1.10 cve-icon cve-icon
https://github.com/intlify/vue-i18n/releases/tag/v9.14.5 cve-icon cve-icon
https://github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability