CVE-2025-49597

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-49597
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-49597.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-49597
Aliases
Published
2025-06-13T20:15:23Z
Modified
2025-07-01T16:33:08.457020Z
Summary
[none]
Details

handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3.

References

Affected packages

Git / github.com/handcraftedinthealps/goodby-csv

Affected ranges

Type
GIT
Repo
https://github.com/handcraftedinthealps/goodby-csv
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
acd14c6ed85116bb2cb4da35ab62821e5cf54519

Affected versions

1.*

1.4.0
1.4.1
1.4.2