Prototype Pollution Risk in Vue I18n Internationalization Plugin by Intlify
CVE-2025-27597

8.9HIGH

Key Information:

Vendor
Intlify
Status
Vue-i18n
Vendor
CVE Published:
7 March 2025

Summary

The Vue I18n plugin by Intlify is vulnerable to Prototype Pollution due to flaws in the handleFlatJson function of the @intlify/message-resolver and @intlify/vue-i18n-core components. An attacker can exploit this vulnerability by supplying a crafted payload that targets the Object.prototype setter, allowing them to manipulate properties within the global prototype chain. The implications of this vulnerability range from denial of service to potential injection-based attacks, particularly if the polluted properties intersect with sensitive Node.js APIs such as exec and eval, leading to unauthorized command execution within the application.

Affected Version(s)

vue-i18n >= 9.1.0, < 9.14.3 < 9.1.0, 9.14.3

vue-i18n >= 10.0.0-alpha.1, < 10.0.6 < 10.0.0-alpha.1, 10.0.6

vue-i18n >= 11.0.0-beta.0, < 11.1.2 < 11.0.0-beta.0, 11.1.2

References

https://github.com/intlify/vue-i18n/security/advisories/G...
x_refsource_CONFIRM
https://github.com/intlify/vue-i18n/commit/4bb6eacda7fc2c...
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-27597 : Prototype Pollution Risk in Vue I18n Internationalization Plugin by Intlify | SecurityVulnerability.io