CVE-2025-27597: 
JavaScript vulnerability analysis and mitigation

Vue I18n, the internationalization plugin for Vue.js, contains a vulnerability in @intlify/message-resolver and @intlify/vue-i18n-core components through the handleFlatJson entry function. The vulnerability was discovered and disclosed on March 7, 2025, affecting versions >= 9.1 for multiple related packages including vue-i18n, petite-vue-i18n, and several @intlify packages (GitHub Advisory).

The vulnerability is a Prototype Pollution issue in the handleFlatJson function. The function fails to properly validate user input, allowing an attacker to supply a payload with Object.prototype setter that can modify properties within the global prototype chain. The vulnerability has been assigned a CVSS v4.0 score of 8.9 HIGH, indicating its significant severity (NVD).

The primary impact is denial of service (DoS) as a minimum consequence. However, the vulnerability can potentially escalate to more severe injection-based attacks. If the polluted property propagates to sensitive Node.js APIs (such as exec or eval), it could enable an attacker to execute arbitrary commands within the application's context (GitHub Advisory).

The vulnerability has been patched in multiple versions: vue-i18n and petite-vue-i18n in versions 9.14.3, 10.0.6, and 11.1.2; @intlify/core and @intlify/core-base in version 9.1.11; @intlify/message-resolver in version 9.1.11; and @intlify/vue-i18n-core in versions 9.14.3, 10.0.6, and 11.1.2. The fix includes adding validation checks for unsafe keys like 'proto' (GitHub Commit).