MEDIUMCVE-2024-6783CVSS 4.2

CVE-2024-6783: XSS in vue-template-compiler

Platform

nodejs

Component

vue-template-compiler

Fixed in

2.7.17

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

A Cross-Site Scripting (XSS) vulnerability has been identified in vue-template-compiler, a component used for compiling Vue.js templates. This vulnerability allows attackers to inject malicious JavaScript code through prototype pollution, potentially leading to unauthorized actions or data theft. The vulnerability affects versions prior to 2.7.17, and a patch is available in Vue 3.

Impact and Attack Scenarios

The vulnerability stems from the ability to manipulate the prototype chain of properties like Object.prototype.staticClass or Object.prototype.staticStyle. By injecting malicious code into these properties, an attacker can hijack the execution flow of the Vue.js application and execute arbitrary JavaScript within the user's browser context. This could lead to session hijacking, defacement of the website, or the theft of sensitive user data. Given Vue's widespread use in web applications, exploitation of this vulnerability could have a significant impact.

Exploitation Context

This vulnerability was publicly disclosed on July 23, 2024. While no active exploitation campaigns have been confirmed, the availability of a proof-of-concept could lead to opportunistic attacks. Given the widespread use of Vue.js, it is crucial to apply the patch promptly. The vulnerability is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard100% still vulnerable

EPSS

0.31% (54% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impact

Affected Software

Componentvue-template-compiler

Vendorosv

Affected rangeFixed in

2.0.0 – 2.7.162.7.17

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2024-07-16
Published2024-07-23
Modified2026-02-03
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation is to upgrade to Vue 2.7.17 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on user-supplied data to prevent prototype pollution. Web Application Firewalls (WAFs) configured to detect and block prototype pollution attempts can also provide a temporary layer of protection. Monitor application logs for unusual activity related to prototype modifications.

How to fix

Update Vue to a version later than 2.7.16. This will fix the Cross-Site Scripting (XSS) vulnerability caused by prototype pollution. Ensure you test the application after the update to verify there are no compatibility issues.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-6783 — XSS in vue-template-compiler?

CVE-2024-6783 is a Cross-Site Scripting (XSS) vulnerability in vue-template-compiler that allows attackers to execute JavaScript via prototype pollution.

Am I affected by CVE-2024-6783 in vue-template-compiler?

You are affected if you are using a version of vue-template-compiler prior to 2.7.17.

How do I fix CVE-2024-6783 in vue-template-compiler?

Upgrade to vue-template-compiler version 2.7.17 or later to patch the vulnerability. Consider input validation as a temporary measure.

Is CVE-2024-6783 being actively exploited?

No active exploitation campaigns have been confirmed, but the availability of a proof-of-concept increases the risk of opportunistic attacks.

Where can I find the official vue-template-compiler advisory for CVE-2024-6783?

Refer to the official Vue.js security advisories and release notes for details: https://vuejs.org/security/