CVE-2025-8083
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Vuetify is a Vue.js UI library with Material Design components for building responsive web applications.
A Prototype Pollution vulnerability (CVE-2025-8083) has been identified in the Preset configuration of Vuetify, specifically the mergeDeep utility function used while initializing the application.
Per OWASP: Prototype Pollution is a critical vulnerability that can allow attackers to manipulate an application's JavaScript objects and properties, leading to serious security issues such as unauthorized access to data, privilege escalation, and even remote code execution.
This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10.
Details
Module Info
- Product: Vuetify
- Affected packages: vuetify
- Affected versions: >=2.2.0-beta.2 <3.0.0-alpha.10
- GitHub repository: https://github.com/vuetifyjs/vuetify
- Published packages: https://npmjs.com/package/vuetify
- Package manager: npm
- Fixed in: Vuetify NES v2.7.4
Vulnerability Info
This High-severity vulnerability (CVSS score 8.6) is found in the mergeDeep utility function of Vuetify versions >=2.2.0-beta.2 <3.0.0-alpha.10.
The mergeDeep utility function, which is used to merge certain options passed to the Vuetify constructor with default options, is vulnerable to Prototype Pollution. Using a specially-crafted, malicious preset option can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application's behavior.
The reproduction below demonstrates the client-side implementation of this vulnerability, but this vulnerability exists server-side as well. To see the server-side variant, use the same concept of passing a malicious option to the Vuetify constructor, but pass the payload in a POST call and initialize Vuetify in that call. Because this vulnerability exists server-side, it does have the potential to pollute the server process during Server-Side Rendering (SSR).
Steps To Reproduce
- Create an object and ensure it is not polluted. For example:
const cleanObj = {};
console.log('cleanObj.polluted:', cleanObj.polluted);- Initialize a Vue/Vuetify app with the malicious option. For example:
const maliciousOption = JSON.parse('{"preset": {"__proto__": {"polluted": true}}}');
new Vue({
el: '#app',
vuetify: new Vuetify(maliciousOption),
});- Check that cleanObj (and any new object) is polluted. For example:
console.log('cleanObj.polluted:', cleanObj.polluted);
console.log('({}).polluted:', ({}).polluted);
Proof Of Concept
A full reproduction with code similar to the above can be found here:
Prototype pollution via Vuetify options POC
Mitigation
The Vuetify v2 project is End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications away from Vuetify v2.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Christiaan Swiers (finder)
