messageformat Package Prototype Pollution Vulnerability

Vulnerability

A prototype pollution vulnerability has been identified in the messageformat package, which implements the Unicode MessageFormat 2 specification for JavaScript. This vulnerability exists in versions prior to 2.3.0 and allows remote attackers to inject properties into the global Object prototype by exploiting nested message keys that contain special characters, such as '__proto__'. The improper handling of these message key paths can lead to unintended modifications of the prototype, potentially causing denial-of-service conditions or other unpredictable behaviors in applications that use the affected package.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can modify the global Object prototype. This could lead to application crashes, denial-of-service conditions, or unexpected behaviors in JavaScript code that relies on the integrity of object prototypes.

Added: Sep 24, 2025, 10:11 PM

Updated: Sep 24, 2025, 10:11 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

messageformat Package Prototype Pollution Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating