VYPR

npm package

messageformat

pkg:npm/messageformat

Vulnerabilities (1)

  • CVE-2025-57349Sep 24, 2025
    affected < 3.0.0-beta.0fixed 3.0.0-beta.0

    The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing