Headline
GHSA-3jp5-5f8r-q2wg: Vuetify has a Prototype Pollution vulnerability
The Preset configuration feature of Vuetify is vulnerable to Prototype Pollution due to the internal ‘mergeDeep’ utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application’s behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data.
If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the whole server process.
This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10.
Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-8083
Vuetify has a Prototype Pollution vulnerability
High severity GitHub Reviewed Published Dec 12, 2025 to the GitHub Advisory Database • Updated Dec 12, 2025
Package
npm vuetify (npm)
Affected versions
>= 2.2.0-beta.2, < 3.0.0-alpha.10
Patched versions
3.0.0-alpha.10
Description
Published to the GitHub Advisory Database
Dec 12, 2025
Last updated
Dec 12, 2025
EPSS score