Home > Vulnerability Database > CVE-2025-57349

Mend.io Vulnerability Database

CVE-2025-57349

Good to know:

Date: September 23, 2025

The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., proto ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.

Severity Score

7.5

Related Resources (4)

Url: https://github.com/messageformat/messageformat

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-57349

Url: https://github.com/messageformat/messageformat/issues/452

Url: https://www.mend.io/vulnerability-database/CVE-2025-57349

Severity Score

7.5

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version messageformat - 3.0.0-beta.0;messageformat - 3.0.0-beta.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-57349

Good to know:

Date: September 23, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?