CVE-2025-53892: 
JavaScript vulnerability analysis and mitigation

Vue I18n, the internationalization plugin for Vue.js, contains a DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-53892) discovered in July 2025. The vulnerability affects versions starting from 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0. The issue lies in the escapeParameterHtml: true option, which is designed to protect against HTML/script injection by escaping interpolated parameters but fails to prevent execution of certain tag-based payloads when used with v-html (GitHub Advisory).

The vulnerability stems from insufficient sanitization of attribute contexts in HTML elements. While the escapeParameterHtml option correctly escapes common injection points, it fails to properly sanitize entire attribute contexts, which can be exploited as XSS vectors. The issue specifically manifests when interpolated values are inserted inside an HTML context using v-html, even when escapeParameterHtml: true is enabled. The vulnerability has been assigned a CVSS v4.0 score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code through DOM-based XSS attacks, even when the escapeParameterHtml security option is enabled. This can lead to script execution in certain environments, particularly when translation strings include minor HTML and are rendered via v-html. The impact is significant as it bypasses an intended security measure (GitHub Advisory).

The vulnerability has been fixed in versions 9.14.5, 10.0.8, and 11.1.0. Users are strongly advised to upgrade to these patched versions. The fix includes improved HTML sanitization that properly handles dangerous characters in attribute values, neutralizes event handler attributes, and disables javascript: URLs in href, src, action, formaction, and style attributes (GitHub Releases, GitHub Releases).