Publish Advisories

GHSA-hhf6-3xpg-pggx
GHSA-xfqm-j7pc-xrfc

Author: advisory-database[bot]

…-hhf6-3xpg-pggx/GHSA-hhf6-3xpg-pggx.json …-hhf6-3xpg-pggx/GHSA-hhf6-3xpg-pggx.jsonadvisories/unreviewed/2025/09/GHSA-hhf6-3xpg-pggx/GHSA-hhf6-3xpg-pggx.json renamed to advisories/github-reviewed/2025/09/GHSA-hhf6-3xpg-pggx/GHSA-hhf6-3xpg-pggx.json advisories/unreviewed/2025/09/GHSA-hhf6-3xpg-pggx/GHSA-hhf6-3xpg-pggx.json renamed to advisories/github-reviewed/2025/09/GHSA-hhf6-3xpg-pggx/GHSA-hhf6-3xpg-pggx.json

@@ -1,33 +1,69 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hhf6-3xpg-pggx",
-  "modified": "2025-09-24T21:30:37Z",
+  "modified": "2025-09-25T16:46:20Z",
   "published": "2025-09-24T21:30:37Z",
   "aliases": [
     "CVE-2025-57330"
   ],
+  "summary": "web3-core-subscriptions has a Prototype Pollution vulnerability",
   "details": "The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "web3-core-subscriptions"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.0.0-alpha.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57330"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/web3/web3.js/commit/d9660426c12210c5071aeb4e1a647c6ea9d67b12"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/web3-core-subscriptions%401.10.4/index.js"
     },
     {
       "type": "WEB",
       "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57330"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/web3/web3.js"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-25T16:46:20Z",
     "nvd_published_at": "2025-09-24T19:15:39Z"
   }
 }

…-xfqm-j7pc-xrfc/GHSA-xfqm-j7pc-xrfc.json …-xfqm-j7pc-xrfc/GHSA-xfqm-j7pc-xrfc.jsonadvisories/unreviewed/2025/09/GHSA-xfqm-j7pc-xrfc/GHSA-xfqm-j7pc-xrfc.json renamed to advisories/github-reviewed/2025/09/GHSA-xfqm-j7pc-xrfc/GHSA-xfqm-j7pc-xrfc.json advisories/unreviewed/2025/09/GHSA-xfqm-j7pc-xrfc/GHSA-xfqm-j7pc-xrfc.json renamed to advisories/github-reviewed/2025/09/GHSA-xfqm-j7pc-xrfc/GHSA-xfqm-j7pc-xrfc.json

@@ -1,14 +1,43 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xfqm-j7pc-xrfc",
-  "modified": "2025-09-24T21:30:37Z",
+  "modified": "2025-09-25T16:46:42Z",
   "published": "2025-09-24T21:30:37Z",
   "aliases": [
     "CVE-2025-57349"
   ],
+  "summary": "messageformat has a prototype pollution vulnerability",
   "details": "The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "messageformat"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.0-beta.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.3.0"
+      }
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -17,13 +46,19 @@
     {
       "type": "WEB",
       "url": "https://github.com/messageformat/messageformat/issues/452"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/messageformat/messageformat"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-25T16:46:42Z",
     "nvd_published_at": "2025-09-24T19:15:40Z"
   }
 }