CVE CyberSecurity Database News

CVE-2025-27597 - Prototype Pollution in Vue I18n Could Lead to Severe Security Risks

Poster -

Vue I18n is a widely used internationalization (i18n) plugin for Vue.js. It lets developers add multilingual support to their Vue apps easily. However, a serious vulnerability (CVE-2025-27597) has recently been found in two of its core packages: @intlify/message-resolver and @intlify/vue-i18n-core. This flaw can let attackers abuse the handleFlatJson function to perform prototype pollution, leading to Denial of Service (DoS) or worse, depending on your app’s setup.

In this article, we’ll look at how this vulnerability works, what kind of damage it can cause, and show a demonstration exploit so you know what to watch out for.

What Is Prototype Pollution?

Prototype pollution happens when an attacker changes the global prototype object in JavaScript. This means new properties are added, or existing ones are overwritten on objects like Object.prototype, affecting every object in your app. It’s a sneaky way to mess with application behavior or even run dangerous code.

The packages

- @intlify/message-resolver
- @intlify/vue-i18n-core

Both are under the hood of the Vue I18n plugin. The vulnerable function is handleFlatJson—it helps turn certain JSON keys into nested objects for translations.

The Vulnerability: handleFlatJson and Dangerous Keys

The problem comes when user-supplied translation data (like from untrusted sources or files) is merged into your app. If the data includes keys like "__proto__" or "constructor", the following could happen:

Let’s say translation data is loaded from a user-uploaded file or external API

const { handleFlatJson } = require('@intlify/message-resolver');

let translations = {};

const malicious = {
  '__proto__.polluted': 'You have been hacked!',
};

handleFlatJson(translations, malicious);

console.log({}.polluted); // Output: You have been hacked!

What happened?
All objects in your app (not just translations) get the polluted property. This opens the door for DoS attacks (crashing your app), bypassing logic, leaking data, or worse if your app relies on prototype properties.

Privilege Escalation: Some logic relying on default object properties could be bypassed.

- Remote Code Execution (RCE): If your code later interacts with Node.js APIs like exec, eval, or Function, and uses polluted properties, attackers might run their own code.

Example RCE Scenario (insecure pattern)

let options = {};
// options injected from polluted object
if (options.exec) {
  require('child_process').exec(options.exec);
}
// Now any user can set exec property via prototype!

References and Further Reading

- CVE Details: CVE-2025-27597 *(pending)*
- @intlify/message-resolver
- Prototype Pollution Attack Explanation by Snyk
- Official fix pull request *(check for latest patch)*

Use Security Linters: Tools like eslint-plugin-security can help catch dangerous patterns.

4. Monitor Application Behavior: Watch for weird behavior or crashes in your app, especially after updating translations.

Conclusion

CVE-2025-27597 is a serious issue that should not be underestimated. If you use Vue I18n or its low-level packages, upgrade them ASAP. Prototype pollution can cause anything from Denial of Service to, in worst cases, allowing attackers to run code on your server. Stay safe: never let untrusted users supply critical data structures, and always keep your dependencies updated!

If you want to know whether your app is vulnerable or need help patching, check the references above or contact a security expert.

Timeline

Published on: 03/07/2025 16:15:39 UTC
Last modified on: 03/07/2025 18:15:48 UTC