Update dependency vue-i18n to v11.1.10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vue-i18n (source)	11.1.5 → 11.1.10

---

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

CVE-2025-53892 / GHSA-x8qp-wqqm-57ph

More information

Details

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>';
Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p>
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph
• https://nvd.nist.gov/vuln/detail/CVE-2025-53892
• https://github.com/intlify/vue-i18n/pull/2229
• https://github.com/intlify/vue-i18n/pull/2230
• https://github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7e
• https://github.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099
• https://github.com/intlify/vue-i18n/releases/tag/v10.0.8
• https://github.com/intlify/vue-i18n/releases/tag/v11.1.10
• https://github.com/intlify/vue-i18n/releases/tag/v9.14.5
• https://github.com/advisories/GHSA-x8qp-wqqm-57ph

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

intlify/vue-i18n (vue-i18n)

v11.1.10

Compare Source

🔒 Security Fixes

• fix: DOM-based XSS via tag attributes for escape parameter, about details see GHSA-x8qp-wqqm-57ph

Full Changelog: intlify/vue-i18n@v11.1.9...v11.1.10

v11.1.9

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.8...v11.1.9

v11.1.8

Compare Source

What's Changed

⚡ Improvement Features

• fix: typo by @​kazupon in #​2221

Full Changelog: intlify/vue-i18n@v11.1.7...v11.1.8

v11.1.7

Compare Source

What's Changed

🐛 Bug Fixes

• fix: declaration order in Number formatting with options ResourceKeys by @​kazupon in #​2208

Full Changelog: intlify/vue-i18n@v11.1.6...v11.1.7

v11.1.6

Compare Source

What's Changed

⚡ Improvement Features

• fix: error on duplicate useI18n calling on local scope by @​kazupon in #​2203

Full Changelog: intlify/vue-i18n@v11.1.5...v11.1.6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.