Key Information Vulnerability Overview Vulnerability Name: does not prevent DOM-based XSS via tag attributes like CVE ID: CVE-2025-53892 Severity: High Affected Packages and Versions Description Summary: - The option in Vue I18n is intended to prevent HTML/script injection by escaping interpolated parameters. However, when interpolated values are inserted into HTML context using , this setting does not prevent certain tag-based payloads (e.g., ) from executing. - Even with enabled, if translation strings contain minimal HTML and are rendered via , it can still lead to DOM-based XSS vulnerabilities. Details: - When is enabled, it correctly escapes common injection points. - However, it does not sanitize the entire attribute context, which can be exploited as XSS vectors, such as: PoC: - In Vue I18n configuration: - Using interpolated payload: - Rendering translation with : - Expected: Escaped content should be rendered as plain text, not executed. - Actual: In some environments, the script executes (or is partially parsed as HTML). Impact: - Despite enabling the security option ( ), this still creates a DOM-based Cross-Site Scripting (XSS) vulnerability.