CNNVD-202509-3801 Information

CNNVD ID

CNNVD-202509-3801

Related CVE

CVE-2025-57353

• CNNVD Published: 2025-09-24

Description (Chinese)

messageformat是messageformat开源的一个用于Javascript的ICU消息格式和Unicode消息格式库。 messageformat 3.0.1之前版本存在安全漏洞，该漏洞源于嵌套消息键验证不足，可能导致原型污染攻击。

Description (English)

Messageformat is an ICU message format and Unicode message library for Javascript. There was a safety loophole in the previous version of messageformat 3.1, which stemmed from inadequate verification of embedded message keys, which could lead to a prototype pollution attack.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

Meta Spark

Published

2025-09-24

Last Modified

2026-02-24

References

https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57353 https://github.com/messageformat/messageformat/issues/453#issuecomment-3466959449 https://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a6d14b70c0a3ce0 https://github.com/messageformat/messageformat/pull/464

Patch

https://github.com/messageformat/messageformat/releases