CVE-2025-57353

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-57353
The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57353
https://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a6d14b70c0a3ce0
https://github.com/messageformat/messageformat/issues/453
https://github.com/messageformat/messageformat/issues/453#issuecomment-3466959449
https://github.com/messageformat/messageformat/pull/464
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Los componentes de tiempo de ejecución del paquete messageformat para Node.js anteriores a la versión 3.0.1 contienen una vulnerabilidad de contaminación de prototipos. Debido a la validación insuficiente de claves de mensaje anidadas durante el procesamiento de datos de mensajes, un atacante puede manipular la cadena de prototipos de objetos JavaScript al proporcionar una entrada especialmente diseñada. Esto puede resultar en la inyección de propiedades arbitrarias en el Object.prototype, lo que podría llevar a condiciones de denegación de servicio o un comportamiento inesperado de la aplicación. La vulnerabilidad permite a los atacantes alterar el prototipo de objetos base, impactando todas las instancias de objetos subsiguientes a lo largo del ciclo de vida de la aplicación. Este problema permanece sin abordar en la última versión disponible.

31 Oct 2025, 00:15

Type Values Removed Values Added
Summary (en) The Runtime components of messageformat package for Node.js prior to version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle. This issue remains unaddressed in the latest available version. (en) The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle.
References
  • () https://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a6d14b70c0a3ce0 -
  • () https://github.com/messageformat/messageformat/issues/453#issuecomment-3466959449 -
  • () https://github.com/messageformat/messageformat/pull/464 -

25 Sep 2025, 19:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
CWE CWE-1321

24 Sep 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-09-24 18:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-57353

Mitre link : CVE-2025-57353

CVE.ORG link : CVE-2025-57353

JSON object : View

Products Affected

No product.

CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')