CVE-2025-57349

Name of the Vulnerable Software and Affected Versions messageformat versions prior to 2.3.0

Description The messageformat package, a JavaScript implementation of the Unicode MessageFormat 2 specification, contains a flaw related to improper handling of message key paths. This can lead to prototype pollution when processing nested message keys with special characters, such as proto. A remote attacker could potentially inject properties into the global object prototype using specially crafted message input, which may result in denial of service or other unpredictable behavior in applications utilizing the component.

Recommendations Update to version 2.3.0 or later.