CVE-2025-57353

Name of the Vulnerable Software and Affected Versions messageformat versions prior to 3.0.2

Description The Runtime components of the messageformat package for Node.js are susceptible to a prototype pollution issue. Insufficient validation of nested message keys during message data processing allows an attacker to manipulate the JavaScript object prototype chain with specially crafted input. This manipulation can lead to the injection of arbitrary properties into the Object.prototype, potentially causing denial of service or unexpected application behavior. The issue allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle.

Recommendations Update to messageformat version 3.0.2 or later.