CVE-2025-8082
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Vuetify is a Vue.js UI library with Material Design components for building responsive web applications.
A Cross-Site Scripting (XSS) vulnerability (CVE-2025-8082) has been identified within the Vuetify VDatePicker component, specifically in the titleDateFormat prop, which allows unsanitized HTML to be rendered on the page.
Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.
This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.
Details
Module Info
- Product: Vuetify
- Affected packages: vuetify
- Affected versions: >=2.0.0 <3.0.0
- GitHub repository: https://github.com/vuetifyjs/vuetify
- Published packages: https://npmjs.com/package/vuetify
- Package manager: npm
- Fixed in: Vuetify NES v2.7.4
Vulnerability Info
This Medium-severity vulnerability (CVSS score 6.3) is found in the v-date-picker component of Vuetify in versions >=2.0.0 <3.0.0.
The issue arises from improper handling for the function passed into the title-date-format prop, which could allow an attacker to inject malicious JavaScript into the DOM. The title-date-format prop allows for the possibility of a user created function to be passed into the v-date-picker component. The output of the function is then assigned to the innerHTML property of the title element without sanitization, which then executes the code directly in the DOM.
Steps To Reproduce
- Create a Vue.js application using Vuetify 2.x
- Add a v-date-picker component with the title-date-format prop.
- Set the title-date-format prop with a function that returns malicious HTML and executable JavaScript, for example:
<v-date-picker
v-model="selectedDate"
:title-date-format="formatter"
></v-date-picker>- The formatter function should have executable JavaScript such as an alert that demonstrates that it was executed. For example:
export default {
data: () => ({
selectedDate: '2025-07-20',
}),
methods: {
formatter(date) {
return '<img src="x" onerror="alert(`XSS Triggered`)">';
},
},
};- When this page is displayed, an alert will appear saying “XSS Triggered”.
Proof Of Concept
A full reproduction with code similar to the above can be found here:
XSS in VDatePicker titleDateFormat POC
Mitigation
The Vuetify v2 project is End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications away from Vuetify v2.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Christiaan Swiers (finder)
