csvjson Prototype Pollution Vulnerability Allowing Denial-of-Service

A prototype pollution vulnerability has been identified in the csvjson package, specifically in versions prior to 5.1.0. This vulnerability arises from improper handling of user input in the 'toCsv' function, allowing attackers to inject properties into 'Object.prototype'. The manipulation of the prototype can lead to denial-of-service conditions, as the application may become unresponsive or behave unexpectedly when processing the polluted prototype.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into the 'Object.prototype'. This can disrupt the normal operation of the application, potentially leading to denial-of-service conditions. Additionally, in contexts where the modified prototype is accessed, it could allow for unauthorized code execution.

Reproduction

To reproduce this vulnerability, use a version of the csvjson package prior to 5.1.0. In the 'toCsv' function, supply a crafted payload that injects properties into 'Object.prototype'. This can be done by manipulating the input in a way that exploits the improper handling of user-supplied data, causing the 'Object.prototype' to be altered. Once the prototype has been polluted, the application may exhibit denial-of-service behavior, such as becoming unresponsive or crashing.

Remediation

Users are advised to update to csvjson version 5.1.0 or later, where this vulnerability has been addressed.