CVE-2024-9506

LOW

Vue 2.0.0-2.7.15 - Regular Expression Denial of Service in parseHTML Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-9506. PoCs published by bio.

AI-analyzed exploit summary This repository provides a patched version of vue-template-compiler to address CVE-2024-9506 (ReDoS) and CVE-2024-6783 (prototype pollution). It includes installation instructions and API documentation for the patched compiler.

Description

Improper regular expression in Vue's parseHTML function leads to a potential regular expression denial of service vulnerability.

Exploits (1)

nomisec WORKING POC 17 stars

by bio · poc

https://github.com/bio/vue-template-compiler-patched

View Code ZIP pw:eip

This repository provides a patched version of vue-template-compiler to address CVE-2024-9506 (ReDoS) and CVE-2024-6783 (prototype pollution). It includes installation instructions and API documentation for the patched compiler.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: vue-template-compiler (Vue.js 2.x)

No auth needed

Prerequisites: Vue.js 2.x project using vue-template-compiler

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://www.herodevs.com/vulnerability-directory/cve-2024-9506

Scores

CVSS v3 3.7

EPSS 0.0003

EPSS Percentile 8.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

npm/vue 2.0.0-alpha.1 - 3.0.0-alpha.0npm

vue/vue 2.0.0 - 2.7.16

Published Oct 15, 2024

Tracked Since Feb 18, 2026