CVE-2025-57353

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-57353
The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57353
https://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a6d14b70c0a3ce0
https://github.com/messageformat/messageformat/issues/453
https://github.com/messageformat/messageformat/issues/453#issuecomment-3466959449
https://github.com/messageformat/messageformat/pull/464
Configurations

No configuration.

History

31 Oct 2025, 00:15

Type Values Removed Values Added
References
  • () https://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a6d14b70c0a3ce0 -
  • () https://github.com/messageformat/messageformat/issues/453#issuecomment-3466959449 -
  • () https://github.com/messageformat/messageformat/pull/464 -
Summary (en) The Runtime components of messageformat package for Node.js prior to version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle. This issue remains unaddressed in the latest available version. (en) The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle.

25 Sep 2025, 19:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
CWE CWE-1321

24 Sep 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-09-24 18:15

Updated : 2025-10-31 00:15

NVD link : CVE-2025-57353

Mitre link : CVE-2025-57353

CVE.ORG link : CVE-2025-57353

JSON object : View

Products Affected

No product.

CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')