CVE-2025-53892 MEDIUM

CVE-2025-53892: Intlify Vue I18n's escapeParameterHtml does not prevent DOM-based XSS via tag attributes like onerror

Vendor Intlify

Product vue-i18n

Weakness CWE-79 · XSS

Published July 16, 2025

Last update July 22, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

Key dates

02Disclosure timeline

July 16, 2025 CVE published

July 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-53892 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2025-53892

CWE CWE-79

CVSS 5.3 / MEDIUM

Affected versions

Vendor Intlify

Product vue-i18n

Affected >= 9.0.0, < 9.14.5

Vendor Intlify

Product vue-i18n

Affected >= 10.0.0, < 10.0.8

Vendor Intlify

Product vue-i18n

Affected >= 11.0.0, < 11.1.0

CVE-2025-53892: Intlify Vue I18n's escapeParameterHtml does not prevent DOM-based XSS via tag attributes like onerror

01Description

02Disclosure timeline

03References

04Related CVE