CVE-2025-8083
Published: 12 December 2025
Description
The Preset configuration https://v2.vuetifyjs.com/en/features/presets feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html due to the internal 'mergeDeep' utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary…
more
properties, which can further negatively affect all aspects of the application's behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data. If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the whole server process. This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, reporting, and correcting flaws like this prototype pollution vulnerability in Vuetify by upgrading to a patched version.
Prohibits use of unsupported components such as EOL Vuetify 2.x, preventing exploitation of unpatched vulnerabilities like CVE-2025-8083.
Requires validation of preset configuration inputs to block specially-crafted malicious payloads that cause prototype pollution.
Security SummaryAI
CVE-2025-8083 is a prototype pollution vulnerability in the Preset configuration feature of Vuetify, a popular Vue.js UI library. The issue stems from the internal 'mergeDeep' utility function, which merges user-provided options with defaults and allows a specially crafted malicious preset to pollute the prototypes of all JavaScript objects with arbitrary properties. This affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10, potentially disrupting application behavior across client-side and server-side rendering (SSR) contexts, where SSR exploitation could impact the entire server process.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). By supplying a malicious preset, attackers can achieve a range of impacts, including resource exhaustion leading to denial of service, unauthorized data access, or other behavioral alterations in the affected application.
Advisories note that Vuetify 2.x is end-of-life and will not receive patches; users should refer to the official EOL announcement for details. Vulnerable applications should upgrade to Vuetify 3.0.0-alpha.10 or later. Proof-of-concept exploits are available via references such as the CodePen demonstration and the Herodevs vulnerability directory.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of a public-facing web application component (T1190) via prototype pollution, facilitating application-level DoS through resource exhaustion (T1499.004).