CVE-2025-57350

HIGH

Keyangxiang Csvtojson < 2.0.10 - Prototype Pollution

Title source: rule

Description

The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.

References (2)

[Issue Tracking, Vendor Advisory] https://github.com/Keyang/node-csvtojson/issues/498

[Third Party Advisory] https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57350

Scores

CVSS v3 8.6

EPSS 0.0027

EPSS Percentile 50.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

keyangxiang/csvtojson < 2.0.10

npm/csvtojson 0 - 2.0.13npm

Published Sep 24, 2025

Tracked Since Feb 18, 2026