You Yuxi, founder of Vue.js, responds to rumors about "Vue is involved in national security vulnerabilities"

Recently, a screenshot of "SonarQube and Vue.js involving national security vulnerabilities" circulating on the Internet has attracted attention in the industry. On January 25, You Yuxi, the founder of Vue.js, quickly responded to the matter on his personal platform account.

You Yuxi said that Vue has always attached great importance to security issues, and has not received vulnerability reports recently.

In the response, You Yuxi pointed out that "the front-end framework cannot be used by hackers for infiltration": "The wording in the screenshots may make some friends who do not understand technology think that 'Vue is used by hackers for infiltration' - this is a wrong understanding .Hacker penetration may exploit vulnerabilities in the front-end framework used by the attacker, but the hacker will not use the front-end framework as a tool for their penetration, because the front-end framework simply does not have this capability.”

After investigating the public information on the Internet, he found that "the vulnerability in the article is a pure back-end API authentication vulnerability, which has nothing to do with the front-end and Vue. In addition, he did not find any vulnerability disclosure about Vue. Public There are also currently no vulnerabilities against Vue.js itself in the CVE database."

As an open source project, Vue is a front-end project released in the form of JavaScript source code, and every line of code is openly subject to any security audit. It has been more than 5 years since Vue 2 was released, and it is widely used in the global industry. During this period, no real security vulnerability has been discovered.

At the same time, You Yuxi also explained the method of XSS attack, "The front end is the code executed in the user's browser, and the type of vulnerability is usually XSS (Cross-Site Scripting). XSS Chinese is called cross-site scripting attack, which refers to By uploading malicious information, the script contained in the information is accidentally rendered, which can be executed when other users log in and steal other users' data. XSS can occur in many forms, and may also occur on purely server-side rendered pages. , not necessarily involving front-end frameworks."

It is understood that the Vue team has also received some so-called "vulnerability" reports in private before, but these reports are almost all under the assumption that any HTML content uploaded by the user is used as a Vue template or v-html data - — This scenario is not fundamentally different from directly rendering any HTML uploaded by the user. Whether Vue is used or not will lead to XSS, and the security chapter in the Vue documentation also has a special warning about this practice.

You Yuxi explained that the responsibility of the front-end framework is to render the interface according to the template and data provided by the developer. If the developer forces the framework to render an untrusted template and then accuses the framework of being unsafe, it is like using innerHTML to render untrusted content. Then accuse the browser of a security hole like that.

Finally, he emphasized: as long as the common sense of front-end security is followed, Vue itself does not have any security problems. Therefore, we are very confused as to why Vue is included in the investigation - if knows the details or details of the vulnerability, please send an email to 161fa0fd957555 security@vuejs.org to let us know. If you are asked by a co-worker or boss, please share this article as well.

It is reported that the source of the two screenshots on the Internet is unknown, and they have been widely circulated in the industry. Its content is "Relevant departments inform that overseas hackers are organizing to use SonarQube and Vue.js to carry out network attack detection on the above-mentioned units. Therefore, relevant departments require domestic agencies, important enterprises and institutions to organize and investigate the use of open source projects SonarQube and Vue.js. , the focus is on government service platforms.”