FKIE_CVE-2025-57350

Vulnerability from fkie_nvd - Published: 2025-09-24 18:15 - Updated: 2025-10-17 14:56
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.
References
cve@mitre.orghttps://github.com/Keyang/node-csvtojson/issues/498Vendor Advisory, Issue Tracking
cve@mitre.orghttps://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57350Third Party Advisory
Impacted products
Vendor Product Version
keyangxiang csvtojson *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:keyangxiang:csvtojson:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "0CEAD2C8-EB0E-43A4-9F9C-F419B13F8056",
              "versionEndExcluding": "2.0.10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file."
    },
    {
      "lang": "es",
      "value": "El paquete csvtojson, una herramienta para convertir datos CSV a JSON con capacidades de an\u00e1lisis personalizables, contiene una vulnerabilidad de contaminaci\u00f3n de prototipos en versiones anteriores a la 2.0.10. Este problema surge debido a una sanitizaci\u00f3n insuficiente de nombres de encabezado anidados durante el proceso de an\u00e1lisis en el componente parser_jsonarray. Al procesar entrada CSV que contiene campos de encabezado especialmente dise\u00f1ados que hacen referencia a cadenas de prototipos (por ejemplo, usando la sintaxis __proto__), la aplicaci\u00f3n puede modificar propiedades de forma no intencionada del prototipo base de Object. Esta vulnerabilidad puede conducir a condiciones de denegaci\u00f3n de servicio o comportamiento inesperado en aplicaciones que dependen de cadenas de prototipos no modificadas, particularmente cuando se procesan datos CSV no confiables. La falla no requiere interacci\u00f3n del usuario m\u00e1s all\u00e1 de proporcionar un archivo CSV construido maliciosamente."
    }
  ],
  "id": "CVE-2025-57350",
  "lastModified": "2025-10-17T14:56:11.183",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-24T18:15:41.463",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory",
        "Issue Tracking"
      ],
      "url": "https://github.com/Keyang/node-csvtojson/issues/498"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57350"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.