fix(deps): update dependency vue-i18n to v10.0.5 [security] #250
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
10.0.4
->10.0.5
GitHub Vulnerability Alerts
CVE-2024-52809
Vulnerability type
XSS
Description
vue-i18n can be passed locale messages to
createI18n
oruseI18n
.we can then translate them using
t
and$t
.vue-i18n has its own syntax for local messages, and uses a message compiler to generate AST.
In order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as
@intlify/unplugin-vue-i18n
and bulder to convert the AST in advance when building the application.By using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST.
The AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a
static
property, but that is just one of the optimizations.About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts
In general, the locale messages of vue-i18n are optimized during production builds using
@intlify/unplugin-vue-i18n
,so there is always a property that is attached during optimization like this time.
But if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects.
Reproduce (PoC)
Workarounds
Before v10.0.0, we can work around this vulnerability by using the regular compilation (
jit: false
of@intlify/unplugin-vue-i18n
plugin configuration) way instead of jit compilation.References
CVE-2024-52810
Vulnerability type: Prototype Pollution
Affected Package:
Product: @intlify/shared
Version: 10.0.4
Vulnerability Location(s):
node_modules/@​intlify/shared/dist/shared.cjs:232:26
Description:
The latest version of
@intlify/shared (10.0.4)
is vulnerable to Prototype Pollution through the entry function(s)lib.deepCopy
. An attacker can supply a payload withObject.prototype
setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) the minimum consequence.Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.
PoC:
References
Prototype Pollution Leading to Remote Code Execution - An example of how prototype pollution can lead to command code injection.
OWASP Prototype Pollution Prevention Cheat Sheet - Best practices for preventing prototype pollution.
PortSwigger Guide on Preventing Prototype Pollution - A detailed guide to securing your applications against prototype pollution.
Release Notes
intlify/vue-i18n (vue-i18n)
v10.0.5
Compare Source
What's Changed
🔒 Security Fixes
Full Changelog: intlify/vue-i18n@v10.0.4...v10.0.5
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.