CVE-2025-53892

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

Published: Jul 16, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-53892
GHSA: GHSA-x8qp-wqqm-57ph
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
kazupon / vue-i18n	9.0.0	9.14.5
kazupon / vue-i18n	10.0.0	10.0.8
kazupon / vue-i18n	11.0.0	11.1.10
@intlify / core	9.0.0	9.14.5
@intlify / core	10.0.0	10.0.8
@intlify / core	11.0.0	11.1.10
@intlify / core-base	9.0.0	9.14.5
@intlify / core-base	10.0.0	10.0.8
@intlify / core-base	11.0.0	11.1.10
@intlify / vue-i18n-core	9.2.0	9.14.5
@intlify / vue-i18n-core	10.0.0	10.0.8
@intlify / vue-i18n-core	11.0.0	11.1.10
petite-vue-i18n	10.0.0	10.0.8
petite-vue-i18n	11.0.0	11.1.10

Vulnerability Database

CVE-2025-53892

Deep Security Visibility Without the Complexity