Prototype Pollution Vulnerability in csvtojson Prior to 2.0.10 #498
Description
Summary
The csvtojson package, a popular CSV-to-JSON conversion tool, contains a prototype pollution vulnerability in versions prior to 2.0.10. This flaw allows attackers to manipulate the prototype chain of JavaScript objects by exploiting insufficient sanitization of nested header names during CSV parsing. Processing maliciously crafted CSV files with specially designed headers (e.g., containing __proto__ syntax) can lead to denial of service (DoS) or unintended application behavior, particularly in systems relying on unmodified prototype chains.
Details
The vulnerability exists in the parser_jsonarray component of the csvtojson library, which handles nested header parsing for CSV data. When processing headers with properties containing __proto__ or similar prototype-referencing patterns, the library fails to properly sanitize input, allowing attackers to inject properties into the base Object prototype. This occurs due to the lack of validation for nested property paths in header names.
For example, a CSV header like a.__proto__.injectedProp could trigger the vulnerability, modifying the global Object.prototype and affecting subsequent operations in applications that process untrusted CSV data.
Impact
- Vulnerability Type: Prototype Pollution (CWE-1321)
- Affected Users: Applications or services using
csvtojsonversions <=2.0.10 that process untrusted CSV files. - Exploitation Requirements: An attacker must supply a malicious CSV file. No additional user interaction is required.
- Potential Consequences:
- Denial of service (e.g., application crashes or hangs).
- Unexpected behavior in code relying on unmodified prototype chains.
- Potential for downstream security issues if prototype modifications bypass validation logic.