The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://github.com/messageformat/messageformat/issues/452 |
|
History
Wed, 24 Sep 2025 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component. | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2025-09-24T18:59:08.016Z
Reserved: 2025-08-17T00:00:00.000Z
Link: CVE-2025-57349
Vulnrichment
No data.
NVD
Status : Awaiting Analysis
Published: 2025-09-24T19:15:40.233
Modified: 2025-09-26T14:32:53.583
Link: CVE-2025-57349
Redhat
No data.
OpenCVE Enrichment
No data.