Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Summary

Vue I18n is the internationalization plugin for Vue.js. '@intlify/message-resolver' and '@intlify/vue-i18n-core' are vulnerable to Prototype Pollution through the entry function: 'handleFlatJson'. An attacker can supply a payload with an 'Object.prototype' setter to introduce or modify properties within the global prototype chain, causing a denial of service (DoS) at a minimum. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., 'exec', 'eval'), it could enable an attacker to execute arbitrary commands within the application's context. The vulnerability affects the following packages: The @intlify/core, @intlify/core-base, @intlify/message-resolver package versions 9.1.0 through 9.1.10. The @intlify/vue-i18n-core package versions 9.2.0 through 9.14.2, 10.0.0-alpha.1 through 10.0.5, and 11.0.0-beta.0 through 11.1.1. The petite-vue-i18n package versions 10.0.0 through 10.0.5, and 11.0.0-beta.0 through 11.1.1. The vue-i18n package versions 9.1.0 through 9.14.2, 10.0.0-alpha.1 through 10.0.5, and 11.0.0-beta.0 through 11.1.1.