AIKIDO-2025-10780
@messageformat/runtime is vulnerable to Prototype Pollution
65
Medium Risk
This Affects:
@messageformat/runtimeTL;DR
Affected versions of this package are vulnerable to prototype pollution due to improper validation of nested message keys in the addMessages method. When processing message data, the package fails to sanitize special object keys such as __proto__, allowing attackers to inject arbitrary properties into Object.prototype. This can lead to denial of service (DoS) or unpredictable application behavior.
Who does this affect?
You are affected if you are using a version which is within vulnerability ranges
Background info
@messageformat/runtime is vulnerable to Prototype Pollution in versions 0.0.1 - 3.0.1.
How to fix this
Upgrade the @messageformat/runtime library to the patch version.
Links
Related Issues
Other
github.com/messageformat/messageformat/blob/main/mf1/packages/runtime/CHANGELOG.mdgithub.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57353
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant