GHSA-vrw9-g62v-7fmf

Suggest an improvement
Source
https://github.com/advisories/GHSA-vrw9-g62v-7fmf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-vrw9-g62v-7fmf/GHSA-vrw9-g62v-7fmf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vrw9-g62v-7fmf
Aliases
Related
Published
2025-09-24T18:30:31Z
Modified
2026-01-30T00:44:17.273233Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
CSVTOJSON has a prototype pollution vulnerability
Details

The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using proto syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.

Database specific 
{
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed_at": "2025-09-24T20:10:59Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2025-09-24T18:15:41Z"
}
References

Affected packages

npm / csvtojson

Package

Name
csvtojson
View open source insights on deps.dev
Purl
pkg:npm/csvtojson

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.13

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-vrw9-g62v-7fmf/GHSA-vrw9-g62v-7fmf.json"