CVE-2024-9506: 
JavaScript vulnerability analysis and mitigation

A Regular expression Denial of Service (ReDoS) vulnerability has been identified in Vue's parseHTML function affecting Vue versions 2.0.0 to 3.0.0. The vulnerability was discovered and disclosed in October 2024, impacting multiple Vue packages including compiler-sfc, server-renderer, and template-compiler (HeroDevs Directory).

The vulnerability exists in the html-parser.ts file within Vue's parseHTML() function, which contains an improperly written regular expression used to check for proper closing tags for script, style, or textarea elements. The issue occurs when template strings contain these tags without matching closing tags. The vulnerability has been assigned a CVSS v3.1 score of 3.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L and is classified under CWE-1333 (Inefficient Regular Expression Complexity) (NVD).

When exploited, this vulnerability can trigger a Regular expression Denial of Service (ReDoS) attack, causing the application to hang for extended periods when processing certain template strings. This occurs particularly when processing template strings containing script tags with mismatched closing tags and large amounts of text (HeroDevs Directory).

Since Vue 2 has reached End-of-Life, it will not receive official updates to address this issue. Users are advised to either migrate to a newer version of Vue or leverage a commercial support partner for post-EOL security support (HeroDevs Directory).