CVE-2025-57353
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-24

Last updated on: 2025-10-31

Assigner: MITRE

Description
The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-24
Last Modified
2025-10-31
Generated
2026-06-16
AI Q&A
2025-09-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57353
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
messageformat runtime *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a prototype pollution issue in the Runtime components of the messageformat package for Node.js versions prior to 3.0.1. It occurs because the software does not properly validate nested message keys when processing message data. An attacker can exploit this by providing specially crafted input that manipulates the prototype chain of JavaScript objects, injecting arbitrary properties into Object.prototype. This can affect all objects created afterward in the application.

Impact Analysis

The vulnerability can lead to denial of service conditions or cause unexpected application behavior by allowing attackers to alter the prototype of base objects. This impacts all subsequent object instances throughout the application's lifecycle, potentially compromising application stability and security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57353. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart