GHSA-6xv4-9cqp-92rh

Source

https://github.com/advisories/GHSA-6xv4-9cqp-92rh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-6xv4-9cqp-92rh/GHSA-6xv4-9cqp-92rh.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-6xv4-9cqp-92rh

Aliases

CVE-2025-57353

Published

2025-09-24T18:30:31Z

Modified

2025-10-31T15:12:38Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

messageformat prototype pollution vulnerability

Details

The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle. Version 3.0.2 contains a fix.

Database specific

{
    "nvd_published_at": "2025-09-24T18:15:41Z",
    "github_reviewed_at": "2025-09-24T20:11:09Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed": true,
    "severity": "MODERATE"
}

References

Affected packages

npm / @messageformat/runtime

Package

Name: @messageformat/runtime; View open source insights on deps.dev
Purl: pkg:npm/%40messageformat/runtime

Affected ranges

Type: SEMVER
Events: Introduced

3.0.1

Fixed

3.0.2

Affected versions

3.*

3.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-6xv4-9cqp-92rh/GHSA-6xv4-9cqp-92rh.json"