CVE-2024-6783
Description
A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vue 2's in-browser template compiler is vulnerable to prototype pollution leading to XSS, allowing arbitrary JavaScript execution via crafted templates.
CVE-2024-6783 is a cross-site scripting (XSS) vulnerability in Vue 2's full build, specifically within the in-browser template compiler. The root cause is prototype pollution: an attacker can modify Object.prototype properties such as staticClass or staticStyle, which are retrieved during the AST construction phase when a template uses a class attribute with a non-dynamic class. This allows the injection of arbitrary JavaScript code into the generated render function [1][2].
To exploit this vulnerability, an attacker must be able to supply a malicious template string to the Vue template compiler. This is possible in applications that allow user-provided templates or dynamic compilation. The compiler processes the template and, due to the polluted prototype, incorporates the attacker's code into the stringified eval statement that executes the render function, leading to client-side XSS [1][2].
Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser context. This can result in data theft, session hijacking, defacement, or other malicious actions typically associated with XSS attacks [1][2].
Vue 2 reached end-of-life on December 31, 2023, and no longer receives security updates [4]. Users are strongly advised to upgrade to Vue 3. For those who must remain on Vue 2, a commercial extended support option (Vue NES) provides fixes for this vulnerability in versions 2.6.17 and 2.7.19 [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vue-template-compilernpm | >= 2.0.0 | — |
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Vue 2 in-browser template compiler reads properties like staticClass from the prototype chain without sanitization, allowing prototype pollution to inject malicious code into generated render functions."
Attack vector
An attacker can perform prototype pollution by modifying `Object.prototype.staticClass` or `Object.prototype.staticStyle` before the Vue template compiler processes a template [ref_id=1][ref_id=2]. When the compiler builds the AST for a template that uses a non-dynamic class attribute, it reads `staticClass` from the prototype chain [ref_id=1][ref_id=2]. Because the compiler generates a string of code that is later evaluated as a render function, the attacker-controlled value can inject arbitrary JavaScript into that evaluated string, resulting in cross-site scripting (XSS) [CWE-79][ref_id=1][ref_id=2]. The attack requires the application to use the full build of Vue 2 (which includes the in-browser compiler) and to compile user-influenced templates [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in the in-browser Vue template compiler shipped in the "full build" of Vue 2 (the `vue-template-compiler` package) [ref_id=1][ref_id=2]. During AST construction, the compiler retrieves properties such as `staticClass` from the object prototype when a template uses a non-dynamic class attribute [ref_id=1][ref_id=2]. The compiler creates a string of code that is later executed via an eval-like mechanism, making prototype-polluted properties dangerous [ref_id=1][ref_id=2].
What the fix does
The advisory states the fix is included in Vue NES v2.6.17 and v2.7.19 [ref_id=1][ref_id=2]. No patch diff is provided in the bundle, but the remediation guidance indicates that upgrading to these fixed versions closes the vulnerability. The fix likely sanitizes or guards property lookups on the prototype chain during AST construction so that attacker-controlled values on `Object.prototype` are not incorporated into the generated render function code.
Preconditions
- configThe application must use the 'full build' of Vue 2 (which includes the in-browser template compiler)
- inputThe attacker must be able to pollute Object.prototype (e.g., via a separate prototype pollution vulnerability or by controlling input that feeds into a merge/assign operation)
- inputA template must use a non-dynamic class attribute to trigger the staticClass code path
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.