CVE-2025-57350

HIGH
2025-09-24 [email protected]
8.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 19:14 vuln.today
PoC Detected
Oct 17, 2025 - 14:56 vuln.today
Public exploit code
CVE Published
Sep 24, 2025 - 18:15 nvd
HIGH 8.6

Tags

Denial Of Service Prototype Pollution Csvtojson Redhat

Description

The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.

Analysis

The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical Context

This vulnerability is classified as Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321), which allows attackers to modify object prototypes to inject properties affecting application logic. The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file. Affected products include: Keyangxiang Csvtojson. Version information: prior to 2.0.10..

Affected Products

Keyangxiang Csvtojson.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Freeze prototypes, validate object keys, avoid recursive merging of untrusted data.

Priority Score

63
Low Medium High Critical
KEV: 0
EPSS: +0.4
CVSS: +43
POC: +20

Vendor Status

Share

CVE-2025-57350 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy