216.73.217.86

CVE-2025-57353

· Published 24/09/2025 18:15 · Modified 25/09/2025 19:15

Labels: CVE-2025-57353 2025-09-24CVE-2025-57353CWE-1321[email protected]

Essential information

Published
24/09/2025 18:15
Modified
25/09/2025 19:15
Author
Creator
CVSS
5.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS metrics

Description

The Runtime components of messageformat package for Node.js prior to version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle. This issue remains unaddressed in the latest available version.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
messageformat / messageformat cpe:2.3:a:messageformat:messageformat:<3.0.1:*:*:*:*:*:*:*

References