CVE-2025-62798: Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component.
In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed.
For example, if a field’s value contains {{ Math.random() }}, it will be executed instead of being displayed as text.
References
- github.com/ViktorMares/vue-js-xss-payload-list
- github.com/advisories/GHSA-9f58-4465-23c7
- github.com/code16/sharp
- github.com/code16/sharp/pull/654
- github.com/code16/sharp/releases/tag/v9.11.1
- github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7
- medium.com/@sid0krypt/vue-js-reflected-xss-fae04c9872d2
- nvd.nist.gov/vuln/detail/CVE-2025-62798
Code Behaviors & Features
Detect and mitigate CVE-2025-62798 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →