icu-to-json (>=0.0.1 <=0.0.20) potentially affected by CVE-2025-57353 via @messageformat/runtime (=3.0.1)

@messageformat/runtime NPM version =3.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on @messageformat/runtime and may be impacted: - icu-to-json =0.0.1, =0.0.20 Source cves: CVE-2025-57353 Source advisory: OSV:GHSA-6XV4-9CQP-92RH...

PT-2025-39317

Name of the Vulnerable Software and Affected Versions messageformat versions prior to 3.0.1 Description The Runtime components of the messageformat package for Node.js are susceptible to a prototype pollution issue. Insufficient validation of nested message keys during message data processing...

CVE-2025-57353

The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing...