CVE-2025-57353

low-risk
Published 2025-09-24

The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle.

Do I need to act?

-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

References (5)

https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/C...
https://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a...
https://github.com/messageformat/messageformat/issues/453
https://github.com/messageformat/messageformat/issues/453#issuecomment-346695944...
https://github.com/messageformat/messageformat/pull/464
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal