Skip to content

csvtojson-2.0.10.tgz: 1 vulnerabilities (highest severity is: 8.6) #2833

New issue
New issue
Open
Open
csvtojson-2.0.10.tgz: 1 vulnerabilities (highest severity is: 8.6)#2833
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Sep 26, 2025
Vulnerable Library - csvtojson-2.0.10.tgz

A tool concentrating on converting csv data to JSON with customised parser supporting

Library home page: https://registry.npmjs.org/csvtojson/-/csvtojson-2.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (csvtojson version) Remediation Possible**
CVE-2025-57350 High 8.6 csvtojson-2.0.10.tgz Direct 2.0.12

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-57350

Vulnerable Library - csvtojson-2.0.10.tgz

A tool concentrating on converting csv data to JSON with customised parser supporting

Library home page: https://registry.npmjs.org/csvtojson/-/csvtojson-2.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • csvtojson-2.0.10.tgz (Vulnerable Library)

Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7

Found in base branch: master

Vulnerability Details

The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability up to 2.0.11. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using proto syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-24

URL: CVE-2025-57350

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-09-24

Fix Resolution: 2.0.12

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions