Cyber Resilience

CVE-2025-57349

High

Published: 24 September 2025

Published
24 September 2025
Modified
17 October 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0024 47.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57349 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Openjsf Messageformat. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing…

more

special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Prototype pollution vulnerability enables remote attackers to modify the JavaScript Object prototype via crafted input, facilitating endpoint denial of service through application exploitation leading to crashes or undefined behaviors.

Affected Assets

openjsf
messageformat
≤ 2.3.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References