messageformat Prototype Pollution Vulnerability CVE-2025-XXXXX (Low)

By /

Listen to this Post

The vulnerability in messageformat versions prior to 2.3.0 stems from improper input sanitization of nested message keys. When parsing a message catalog, the library uses key paths to set properties on a data object. If an attacker supplies a key path containing special strings like `__proto__` or constructor.prototype, the library’s setter function fails to properly restrict access to the object’s prototype chain. Instead of assigning the value only to the local data object, the operation traverses the prototype chain, allowing the injection of properties into the base Object.prototype. This pollutes every object in the application, which can lead to denial of service by modifying fundamental methods like `toString` or valueOf, or cause unexpected behavior in application logic that iterates over object properties.
Platform: Node.js
Version: <2.3.0
Vulnerability: Prototype Pollution
Severity: Low

date: 2025-09-24

Prediction: Patch available (2025-09-24)

What Undercode Say:

npm audit
npm list messageformat

// Proof-of-Concept
const MessageFormat = require('messageformat');
const mf = new MessageFormat('en');
const messages = {
'<strong>proto</strong>.polluted': 'yes' // Pollutes Object.prototype
};
mf.compile(messages);
console.log({}.polluted); // Outputs 'yes'

How Exploit:

An attacker can exploit this by providing a maliciously crafted message bundle as input to an application that uses the vulnerable messageformat library for internationalization. The payload uses key paths like `__proto__.polluted` or `constructor.prototype.isAdmin` to inject properties into the global prototype.

Protection from this CVE:

Upgrade messageformat to version 2.3.0 or later. The patch adds validation to ensure message keys are safe and cannot traverse the prototype chain. Implement input sanitization for all external message sources. Use objects created with `Object.create(null)` which have no prototype for message data.

Impact:

Denial of Service, Application instability, Potential remote code execution if other vulnerabilities are chained. The impact is limited by the need to control the input message data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top