FKIE_CVE-2025-57353

Vulnerability from fkie_nvd - Published: 2025-09-24 18:15 - Updated: 2025-10-31 00:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle.
References
cve@mitre.orghttps://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57353
cve@mitre.orghttps://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a6d14b70c0a3ce0
cve@mitre.orghttps://github.com/messageformat/messageformat/issues/453
cve@mitre.orghttps://github.com/messageformat/messageformat/issues/453#issuecomment-3466959449
cve@mitre.orghttps://github.com/messageformat/messageformat/pull/464
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application\u0027s lifecycle."
    },
    {
      "lang": "es",
      "value": "Los componentes de tiempo de ejecuci\u00f3n del paquete messageformat para Node.js anteriores a la versi\u00f3n 3.0.1 contienen una vulnerabilidad de contaminaci\u00f3n de prototipos. Debido a la validaci\u00f3n insuficiente de claves de mensaje anidadas durante el procesamiento de datos de mensajes, un atacante puede manipular la cadena de prototipos de objetos JavaScript al proporcionar una entrada especialmente dise\u00f1ada. Esto puede resultar en la inyecci\u00f3n de propiedades arbitrarias en el Object.prototype, lo que podr\u00eda llevar a condiciones de denegaci\u00f3n de servicio o un comportamiento inesperado de la aplicaci\u00f3n. La vulnerabilidad permite a los atacantes alterar el prototipo de objetos base, impactando todas las instancias de objetos subsiguientes a lo largo del ciclo de vida de la aplicaci\u00f3n. Este problema permanece sin abordar en la \u00faltima versi\u00f3n disponible."
    }
  ],
  "id": "CVE-2025-57353",
  "lastModified": "2025-10-31T00:15:37.110",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-24T18:15:41.793",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57353"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a6d14b70c0a3ce0"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/messageformat/messageformat/issues/453"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/messageformat/messageformat/issues/453#issuecomment-3466959449"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/messageformat/messageformat/pull/464"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.