Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
csvtojson Prototype Pollution Vulnerability Allowing Denial-of-Service Prior to 2.0.10
Vulnerability
A prototype pollution vulnerability has been identified in the csvtojson package, which is used to convert CSV data to JSON with customizable parsing options. This vulnerability exists in versions prior to 2.0.10 and arises from inadequate sanitization of nested header names in the 'parser_jsonarray' component during the CSV parsing process. When the package processes CSV files with specially crafted headers that reference prototype chains, such as those using the '__proto__' syntax, it can unintentionally alter properties of the base Object prototype. This manipulation can lead to denial-of-service conditions, such as application crashes or hangs, and cause unexpected behavior in applications that depend on unmodified prototype chains. The vulnerability can be exploited by supplying a maliciously crafted CSV file, without requiring any additional user interaction.
Impact
Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into the global Object prototype. This can disrupt the normal behavior of applications, especially those that process untrusted CSV data, potentially leading to application crashes, hangs, or other unexpected behaviors. Furthermore, according to the vulnerability's GitHub issue, such prototype modifications could bypass validation logic, creating downstream security risks.
Reproduction
To reproduce this vulnerability, use a version of the csvtojson package prior to 2.0.10. Create a CSV file that includes nested headers with properties referencing the prototype chain, such as using the '__proto__' syntax. When this file is processed with the vulnerable csvtojson version, the header manipulation will alter the global Object.prototype, injecting the specified properties. This can be verified by checking the Object prototype for the injected properties or by observing changes in application behavior that relies on the prototype chain.
Remediation
Users can upgrade to csvtojson version 2.0.10 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.