VYPR

Messageformat

by Messageformat

npm: messageformat

Source repositories

CVEs (2)

  • CVE-2025-57353MedSep 24, 2025
    risk 0.27cvss 5.3epss 0.00

    The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects…

  • CVE-2025-57349Sep 24, 2025
    risk 0.00cvss epss 0.00

    The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing…