CVE-2025-57349: High severity messageformat messageformat vulnerability

Published Sep 24, 2025
·
Updated

The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., proto ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.

Affected Software

3 affected componentsFixes available
messageformat messageformat<2.3.0
npm/messageformat<2.3.0
3.0.0-beta.0
Openjsf Messageformat<2.3.0

Event History

Sep 24, 2025
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:15 PM
Affected Software
Advisory Published
via GitHub·09:30 PM
Data Sourced
via GitHub·09:30 PM
DescriptionWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-57349?

CVE-2025-57349 is a high severity vulnerability due to the risk of prototype pollution.

2

How do I fix CVE-2025-57349?

To fix CVE-2025-57349, upgrade the messageformat package to version 2.3.0 or later.

3

What software is affected by CVE-2025-57349?

CVE-2025-57349 affects the messageformat package versions prior to 2.3.0.

4

What is prototype pollution in the context of CVE-2025-57349?

Prototype pollution in CVE-2025-57349 allows attackers to manipulate JavaScript object prototypes, leading to potential security breaches.

5

When was CVE-2025-57349 reported?

CVE-2025-57349 was reported in 2025, highlighting vulnerabilities found in the messageformat package.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203