CVE-2025-5897: @vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability

June 9, 2025

A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.

References

github.com/advisories/GHSA-79vf-hf9f-j9q8
github.com/vuejs/vue-cli
github.com/vuejs/vue-cli/pull/7478
nvd.nist.gov/vuln/detail/CVE-2025-5897
vuldb.com/?ctiid.311669
vuldb.com/?id.311669
vuldb.com/?submit.585798

Code Behaviors & Features

Detect and mitigate CVE-2025-5897 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →