Vue I18n Prototype Pollution Vulnerability in Message Resolver and Vue I18n Core

A prototype pollution vulnerability has been identified in Vue I18n, specifically in the internationalization plugin for Vue.js. The issue resides in the '@intlify/message-resolver' and '@intlify/vue-i18n-core' packages, affecting versions 9.1.0 through 11.1.1. The vulnerability allows an attacker to manipulate the global prototype chain by injecting payloads through the 'handleFlatJson' function. This could lead to unauthorized modification of properties, causing at least a denial-of-service condition. Furthermore, if the injected property interacts with sensitive Node.js APIs, it could enable the execution of arbitrary commands within the application's context.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can disrupt the application's normal behavior. At a minimum, this causes a denial-of-service condition. However, the vulnerability could also be exploited to perform other injection-based attacks, particularly if the polluted prototype property is accessed by sensitive Node.js APIs, such as 'exec' or 'eval'. In such cases, an attacker could execute arbitrary commands within the application's environment.

Reproduction

To reproduce this vulnerability, install the '@intlify/message-resolver' package version 9.1.10. Then, use the 'handleFlatJson' function to send a payload that includes a prototype key, such as '__proto__.pollutedKey'. After the function executes, the injected property will appear in the prototype, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can upgrade to version 9.1.11 of '@intlify/message-resolver' or '@intlify/vue-i18n-core' to address this vulnerability.