Bobbie Goede

**Name of the Vulnerable Software and Affected Versions** vue-i18n versions prior to 9.14.2 vue-i18n versions prior to 10.0.5 **Description** The issue concerns a Cross-site Scripting (XSS) attack possibility in vue-i18n, an internationalization plugin for Vue.js. This occurs when locale message ASTs are generated in development mode, allowing for potential exploitation. The estimated number of potentially affected devices worldwide is not specified. There are no reported real-world incidents of this issue being exploited. Technical details include the use of `createI18n` or `useI18n` to pass locale messages, and the generation of ASTs by the message compiler. The `static` property in the AST tree is one of the optimizations that can be exploited. **Recommendations** For versions prior to 9.14.2, upgrade to version 9.14.2 or later. For versions prior to 10.0.5, upgrade to version 10.0.5 or later. As a temporary workaround for versions before v10.0.0, consider using the regular compilation way instead of jit compilation by setting `jit: false` in the `@intlify/unplugin-vue-i18n` plugin configuration.

**Name of the Vulnerable Software and Affected Versions** @intlify/shared versions 10.0.4 **Description** The issue is related to Prototype Pollution through the entry function(s) `lib.deepCopy`. An attacker can supply a payload with `Object.prototype` setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) as the minimum consequence. The consequences of this issue can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., `exec`, `eval`), it could enable an attacker to execute arbitrary commands within the application's context. **Recommendations** For @intlify/shared version 10.0.4, upgrade to version 10.0.5 to resolve the issue. As a temporary workaround, consider restricting the use of the `lib.deepCopy` function until a patch is available. Avoid using the `Object.prototype` setter in the affected `lib.deepCopy` function until the issue is resolved.