AIKIDO-2024-10497
@intlify/core-base is vulnerable to XSS vulnerability with Prototype Pollution
80
High Risk
This Affects:
@intlify/core-baseTL;DR
Affected versions of @intlify/core-base are vulnerable to Cross-site Scripting (XSS) when using locale message Abstract Syntax Trees (AST) in development mode or custom ASTs. The createI18n and useI18n functions allow passing locale messages, which are compiled into ASTs for performance optimization during production builds using plugins like @intlify/unplugin-vue-i18n. However, if these ASTs are not precompiled or are manipulated by a third party, there is a risk of XSS.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@intlify/core-base is vulnerable to XSS vulnerability with Prototype Pollution in versions 9.3.0 - 9.14.1 and 10.0.0 - 10.0.4.
How to fix this
Upgrade the @intlify/core-base library to the patch version.
Links
Fix Commits
github.com/intlify/vue-i18n/commit/72f0d323006fc7363b18cab62d4522dadd874411github.com/intlify/vue-i18n/commit/9f20909ef8c9232a1072d7818e12ed6d6451024d
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant