CVE-2025-57350

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-57350

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-57350.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-57350

Aliases

GHSA-vrw9-g62v-7fmf

Published

2025-09-24T18:15:41.463Z

Modified

2025-11-17T04:04:45.199496Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

[none]

Details

The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using proto syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.

References

Affected packages

Git / github.com/keyang/node-csvtojson

Affected ranges

Type: GIT
Repo: https://github.com/keyang/node-csvtojson
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

abf5f59dce172d78adc3c62f4e9ff5b356e3565c

Affected versions

0.*

0.3.14

0.3.4

0.3.6

0.3.7

0.3.8

0.4.7

0.5.0

1.*

1.1.0

1.1.1

1.1.3

1.1.5

1.1.7

1.1.8

1.1.9

v1.*

v1.1.10

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-57350.json"