CVE-2024-52809

Name of the Vulnerable Software and Affected Versions vue-i18n versions prior to 9.14.2 vue-i18n versions prior to 10.0.5

Description The issue concerns a Cross-site Scripting (XSS) attack possibility in vue-i18n, an internationalization plugin for Vue.js. This occurs when locale message ASTs are generated in development mode, allowing for potential exploitation. The estimated number of potentially affected devices worldwide is not specified. There are no reported real-world incidents of this issue being exploited. Technical details include the use of createI18n or useI18n to pass locale messages, and the generation of ASTs by the message compiler. The static property in the AST tree is one of the optimizations that can be exploited.

Recommendations For versions prior to 9.14.2, upgrade to version 9.14.2 or later. For versions prior to 10.0.5, upgrade to version 10.0.5 or later. As a temporary workaround for versions before v10.0.0, consider using the regular compilation way instead of jit compilation by setting jit: false in the @intlify/unplugin-vue-i18n plugin configuration.