CVE-2025-5897 – This vulnerability in vue-cli's PWA plugin invo... (How to Fix)

📋 TL;DR

This vulnerability in vue-cli's PWA plugin involves inefficient regular expression complexity in the HtmlPwaPlugin component. Attackers can cause denial of service by sending specially crafted inputs that trigger excessive resource consumption during regex processing. Developers using vue-cli versions up to 5.0.8 with the PWA plugin are affected.

💻 Affected Systems

Products:

vuejs vue-cli

Versions: up to and including 5.0.8

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the @vue/cli-plugin-pwa component. Development environments and build pipelines are primarily at risk.

📦 What is this software?

Vue Cli by Vuejs

View all CVEs affecting Vue Cli →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from regex processing, potentially causing application crashes or degraded performance for all users.

🟠

Likely Case

Temporary performance degradation or service disruption for specific users when malicious inputs trigger inefficient regex evaluation.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place, potentially causing only minor performance spikes.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Remote exploitation is possible but requires specific conditions where the vulnerable regex is triggered during build or development processes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.9 and later

Vendor Advisory: https://github.com/vuejs/vue-cli/pull/7478

Restart Required: No

Instructions:

1. Update vue-cli globally: npm update -g @vue/cli
2. Update in project: npm update @vue/cli-plugin-pwa
3. Verify version: vue --version should show 5.0.9 or higher

🔧 Temporary Workarounds

Disable PWA plugin temporarily

all

Remove or disable the @vue/cli-plugin-pwa from your vue.config.js if not essential

npm remove @vue/cli-plugin-pwa
Remove pwa configuration from vue.config.js

Implement input validation

all

Add validation to prevent malicious inputs from reaching the vulnerable regex

🧯 If You Can't Patch

Implement rate limiting and monitoring for build processes
Isolate development/build environments from production networks

🔍 How to Verify

Check if Vulnerable:

Check package.json for @vue/cli-plugin-pwa version <=5.0.8 or run: npm list @vue/cli-plugin-pwa

Check Version:

npm list @vue/cli-plugin-pwa | grep @vue/cli-plugin-pwa

Verify Fix Applied:

Verify @vue/cli-plugin-pwa version is 5.0.9+ and test build process with various inputs

📡 Detection & Monitoring

Log Indicators:

Unusually long build times
High CPU usage during vue-cli operations
Regex timeout errors

Network Indicators:

Multiple rapid requests to development servers
Unusual patterns in build artifact requests

SIEM Query:

process.name:"vue-cli-service" AND (cpu.usage>90 OR duration>300s)

📊 Metadata

CVE ID: CVE-2025-5897

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

EPSS Score: 0.14% exploit probability (34.5th percentile)

Published: June 9, 2025

Last Updated: July 10, 2025

🔗 References

https://github.com/vuejs/vue-cli/pull/7478 Exploit,Issue Tracking,Patch
https://vuldb.com/?ctiid.311669 Permissions Required,VDB Entry
https://vuldb.com/?id.311669 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.585798 Third Party Advisory,VDB Entry
https://github.com/vuejs/vue-cli/pull/7478 Exploit,Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5897, you might also want to check these: