Skip to content

Update dependency @intlify/core to v11.1.10 [SECURITY] #5498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency @intlify/core to v11.1.10 [SECURITY] #5498

wants to merge 1 commit into from
+139 −138

Conversation

@openverse-bot
Copy link
Collaborator

@openverse-bot openverse-bot commented Oct 18, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
@intlify/core (source) devDependencies minor 11.0.1 -> 11.1.10

GitHub Vulnerability Alerts

CVE-2025-53892

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>';
Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p>
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Release Notes

intlify/vue-i18n (@​intlify/core)

v11.1.10

Compare Source

🔒 Security Fixes
  • fix: DOM-based XSS via tag attributes for escape parameter, about details see GHSA-x8qp-wqqm-57ph

Full Changelog: intlify/vue-i18n@v11.1.9...v11.1.10

v11.1.9

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.8...v11.1.9

v11.1.8

Compare Source

What's Changed
⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v11.1.7...v11.1.8

v11.1.7

Compare Source

What's Changed
🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v11.1.6...v11.1.7

v11.1.6

Compare Source

What's Changed
⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v11.1.5...v11.1.6

v11.1.5

Compare Source

What's Changed
🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v11.1.4...v11.1.5

v11.1.4

Compare Source

What's Changed
🌟 Features
⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v11.1.3...v11.1.4

v11.1.3

Compare Source

What's Changed
🐛 Bug Fixes
⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v11.1.2...v11.1.3

v11.1.2

Compare Source

What's Changed

🔒 Security Fixes

Full Changelog: intlify/vue-i18n@v11.1.1...v11.1.2

v11.1.1

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.0...v11.1.1

v11.1.0

Compare Source

What's Changed

🌟 Features
📝️ Documentations

Full Changelog: intlify/vue-i18n@v11.0.1...v11.1.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@openverse-bot openverse-bot added the dependencies Pull requests that update a dependency file label Oct 18, 2025
@openverse-bot openverse-bot requested a review from a team as a code owner October 18, 2025 14:36
@openverse-bot openverse-bot added 💻 aspect: code Concerns the software code in the repository 🟨 tech: javascript Involves JavaScript 🟩 priority: low Low priority and doesn't need to be rushed 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🧱 stack: frontend Related to the Nuxt frontend labels Oct 18, 2025
@openverse-bot openverse-bot moved this to 👀 Needs Review in Openverse PRs Oct 18, 2025
@github-actions
Copy link

github-actions bot commented Oct 18, 2025
edited
Loading

Latest k6 run output1

     ✓ status was 200

     checks.........................: 100.00% ✓ 402      ✗ 0   
     data_received..................: 94 MB   390 kB/s
     data_sent......................: 53 kB   219 B/s
     http_req_blocked...............: avg=38.89µs  min=2.1µs    med=4.57µs   max=1.63ms   p(90)=143.57µs p(95)=167.45µs
     http_req_connecting............: avg=25.91µs  min=0s       med=0s       max=1.59ms   p(90)=96.16µs  p(95)=110.77µs
     http_req_duration..............: avg=143.82ms min=16.63ms  med=90.92ms  max=975.42ms p(90)=335.98ms p(95)=434.93ms
       { expected_response:true }...: avg=143.82ms min=16.63ms  med=90.92ms  max=975.42ms p(90)=335.98ms p(95)=434.93ms
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 402 
     http_req_receiving.............: avg=159.88µs min=57.16µs  med=128.54µs max=1.32ms   p(90)=246.42µs p(95)=370.67µs
     http_req_sending...............: avg=23.87µs  min=8.19µs   med=21.48µs  max=121.43µs p(90)=37.34µs  p(95)=43.02µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=143.63ms min=16.54ms  med=90.61ms  max=975.19ms p(90)=335.72ms p(95)=434.73ms
     http_reqs......................: 402     1.671099/s
     iteration_duration.............: avg=787.78ms min=240.87ms med=887.16ms max=1.67s    p(90)=1.08s    p(95)=1.14s   
     iterations.....................: 74      0.307615/s
     vus............................: 0       min=0      max=6 
     vus_max........................: 60      min=60     max=60

Footnotes

  1. This comment will automatically update with new output each time k6 runs for this PR

@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 12 times, most recently from b5bfb94 to 63fc2a9 Compare October 27, 2025 23:07
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 6 times, most recently from 42a22c5 to a119d03 Compare October 31, 2025 05:08
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 11 times, most recently from 6633321 to a73ab70 Compare November 7, 2025 03:27
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 2 times, most recently from b74300d to a3d5911 Compare November 10, 2025 21:08
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch from a3d5911 to 1141a84 Compare November 11, 2025 03:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krysal krysal Awaiting requested review from krysal krysal is a code owner automatically assigned from WordPress/openverse-frontend

@obulat obulat Awaiting requested review from obulat obulat is a code owner automatically assigned from WordPress/openverse-frontend

Assignees

No one assigned

Labels

💻 aspect: code Concerns the software code in the repository dependencies Pull requests that update a dependency file 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🟩 priority: low Low priority and doesn't need to be rushed 🧱 stack: frontend Related to the Nuxt frontend 🟨 tech: javascript Involves JavaScript

Projects

Openverse PRs
Status: 👀 Needs Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@openverse-bot