Prototype Pollution Vulnerability in Node.js Messageformat Package
CVE-2025-57353

5.3MEDIUM

Key Information:

Vendor: Node.js
Status: messageformat
Vendor: CVE Published:; 24 September 2025

What is CVE-2025-57353?

The messageformat package for Node.js prior to version 3.0.1 is susceptible to a prototype pollution vulnerability due to inadequate validation of nested message keys. This flaw allows attackers to craft malicious input that can manipulate the prototype chain of JavaScript objects. By exploiting this vulnerability, an attacker can inject arbitrary properties into the Object.prototype, which may lead to unexpected application behavior or denial of service conditions throughout the application's lifecycle. This critical issue has yet to be addressed in the current version.

References

https://github.com/messageformat/messageformat/issues/453

https://github.com/VulnSageAgent/PoCs/tree/main/JavaScrip...

https://github.com/messageformat/messageformat/pull/464

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 24, 2025
Vulnerability Reserved
Aug 17, 2025

JSON