FKIE_CVE-2025-57349

Vulnerability from fkie_nvd - Published: 2025-09-24 19:15 - Updated: 2025-10-17 14:49
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.
References
cve@mitre.orghttps://github.com/messageformat/messageformat/issues/452Third Party Advisory, Issue Tracking
Impacted products
Vendor Product Version
openjsf messageformat *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openjsf:messageformat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4FE4A8B8-B756-472C-90B5-CF7BCCB528E6",
              "versionEndExcluding": "2.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component."
    },
    {
      "lang": "es",
      "value": "El paquete messageformat, una implementaci\u00f3n de la especificaci\u00f3n Unicode MessageFormat 2 para JavaScript, es vulnerable a la Contaminaci\u00f3n de Prototipos debido a un manejo inadecuado de las rutas de claves de mensajes en versiones anteriores a la 2.3.0. La falla surge al procesar claves de mensajes anidadas que contienen caracteres especiales (p. ej., __proto__), lo que puede llevar a una modificaci\u00f3n no intencionada del prototipo de objeto de JavaScript. Esta vulnerabilidad puede permitir a un atacante remoto inyectar propiedades en el prototipo de objeto global a trav\u00e9s de una entrada de mensaje especialmente dise\u00f1ada, lo que podr\u00eda causar una denegaci\u00f3n de servicio u otros comportamientos indefinidos en aplicaciones que utilizan el componente afectado."
    }
  ],
  "id": "CVE-2025-57349",
  "lastModified": "2025-10-17T14:49:25.293",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-24T19:15:40.233",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "Issue Tracking"
      ],
      "url": "https://github.com/messageformat/messageformat/issues/452"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.