CVE-2025-8083 in Vuetify
Summary
by MITRE • 12/12/2025
The Preset configuration https://v2.vuetifyjs.com/en/features/presets feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html due to the internal 'mergeDeep' utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application's behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data.
If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the whole server process.
This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10.
Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/12/2025
The vulnerability identified as CVE-2025-8083 resides within the preset configuration functionality of Vuetify version 2.x, specifically affecting versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10. This issue stems from the internal 'mergeDeep' utility function that handles the merging of user-defined options with default configurations, creating a prototype pollution vulnerability that can have severe implications for application security and stability. The vulnerability manifests when maliciously crafted preset configurations are processed through this utility function, allowing attackers to inject arbitrary properties into JavaScript object prototypes, thereby affecting the entire application behavior.
Prototype pollution represents a critical security flaw classified under CWE-471, where attackers can manipulate object prototypes to inject malicious properties that propagate throughout the application's object hierarchy. The mergeDeep utility function fails to properly validate or sanitize input parameters, enabling attackers to craft preset configurations containing malicious property names that, when merged, pollute the Object.prototype with unintended properties. This contamination affects all JavaScript objects that inherit from the prototype chain, potentially leading to unexpected behavior, code execution, or manipulation of application logic. The vulnerability is particularly dangerous because it operates at a fundamental level of JavaScript object inheritance, making it difficult to detect and prevent through conventional security measures.
The operational impact of this vulnerability extends beyond simple application instability to encompass serious security concerns including denial of service attacks through resource exhaustion and potential unauthorized data access. When applications utilize Server-Side Rendering (SSR) with Vuetify, the vulnerability becomes even more critical as the malicious preset configuration can compromise the entire server process, potentially leading to complete system compromise. The prototype pollution can cause applications to behave unpredictably, leading to crashes, memory leaks, or execution of unintended code paths. Attackers can exploit this vulnerability to manipulate application state, bypass security controls, or gain unauthorized access to sensitive data through the contaminated object prototypes that affect all downstream operations.
Mitigation strategies for CVE-2025-8083 require immediate attention from development teams, particularly since Vuetify 2.x has reached end-of-life status and will not receive further updates to address this issue. Organizations should prioritize upgrading to Vuetify 3.x, which implements proper prototype pollution protections in its configuration handling mechanisms. Until such upgrades are possible, defensive programming techniques should be implemented including input validation, sanitization of preset configurations, and strict enforcement of configuration schema validation. Security teams should also consider implementing runtime monitoring to detect anomalous object prototype modifications and establish network-level controls to prevent the execution of malicious preset configurations. The ATT&CK framework categorizes this vulnerability under T1546.008 (Stage 2: Persistence) and T1059.007 (Command and Scripting Interpreter: JavaScript) due to the potential for persistent malicious code injection and JavaScript-based exploitation techniques that can leverage prototype pollution for broader system compromise.