2397911 – (CVE-2025-57350) CVE-2025-57350 csvtojson: csvtojson prototype pollution

Bug 2397911 (CVE-2025-57350) - CVE-2025-57350 csvtojson: csvtojson prototype pollution

Summary: CVE-2025-57350 csvtojson: csvtojson prototype pollution

Keywords:
Status:	NEW
Alias:	CVE-2025-57350
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-24 19:01 UTC by OSIDB Bzimport
Modified:	2025-09-26 20:30 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-24 19:01:48 UTC

The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.

Note You need to log in before you can comment on or make changes to this bug.