CVE-2025-57350
Prototype Pollution vulnerability in csvtojson (npm)
What is CVE-2025-57350 About?
The csvtojson package versions prior to 2.0.10 contain a prototype pollution vulnerability due to insufficient sanitization of nested header names during CSV parsing. This allows attackers to modify base Object prototype properties by providing specially crafted CSV input, which can lead to denial of service or unexpected application behavior. Exploitation is relatively easy, requiring only a malicious CSV file.
Affected Software
Technical Details
The prototype pollution vulnerability in csvtojson affects versions prior to 2.0.10, specifically within the parser_jsonarray component. When processing CSV input, if an attacker includes specially crafted header fields that reference prototype chains (e.g., using __proto__ as a nested key), the library's parsing logic fails to adequately sanitize these names. This allows the attacker to inject or modify properties of the global Object.prototype, which is then inherited by all objects in the JavaScript environment. By manipulating Object.prototype, an attacker can introduce arbitrary properties or alter built-in functionalities, leading to unexpected application behavior, crashes, or denial of service conditions, especially when the application relies on unmodified prototype chains and processes untrusted CSV data.
What is the Impact of CVE-2025-57350?
Successful exploitation may allow attackers to modify the behavior of global JavaScript objects, leading to arbitrary code execution, property injection, or denial of service by causing application crashes or unpredictable behavior. This can compromise data integrity and system stability.
What is the Exploitability of CVE-2025-57350?
Exploitation of this prototype pollution vulnerability is of low to moderate complexity. The primary prerequisite is for the target application to use the csvtojson package (versions prior to 2.0.10) and process untrusted CSV input. There are no specific authentication or privilege requirements; an attacker simply needs to provide a maliciously crafted CSV file to the application. The attack can be remote if the application accepts CSV file uploads or inputs from untrusted sources via a web interface. There are no special conditions, as the vulnerability directly stems from how the library processes header names. Risk factors that increase exploitation likelihood include applications that process external or user-generated CSV data without robust input validation and those that operate in environments where prototype pollution can have critical side effects (e.g., impacting object property access or other security mechanisms).
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-57350?
About the Fix from Resolved Security
This patch prevents object prototype pollution by blocking the use of object keys such as "proto", "constructor", and "prototype" during the dynamic creation of JavaScript objects from parsed CSV headers. By introducing these checks, it mitigates the risk described in CVE-2025-57350, which could allow attackers to tamper with object prototypes and potentially alter or compromise application behavior.
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Keyang/node-csvtojson/issues/498
- https://nvd.nist.gov/vuln/detail/CVE-2025-57350
- https://github.com/Keyang/node-csvtojson
- https://osv.dev/vulnerability/GHSA-vrw9-g62v-7fmf
- https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57350
- https://github.com/Keyang/node-csvtojson/issues/498
- https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57350
What are Similar Vulnerabilities to CVE-2025-57350?
Similar Vulnerabilities: CVE-2023-45136 , CVE-2023-38036 , CVE-2023-29007 , CVE-2022-25911 , CVE-2022-25881
