CVE-2025-57350
Published: 24 September 2025
Summary
CVE-2025-57350 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Keyangxiang Csvtojson. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, reporting, and patching the prototype pollution flaw in csvtojson versions prior to 2.0.10.
Mandates validation of CSV inputs, including sanitization of nested header names to block __proto__ prototype pollution payloads.
Enforces restrictions on using vulnerable csvtojson package versions, authorizing only secure versions like 2.0.10 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution via crafted CSV headers enables application denial of service through Object prototype modification, causing crashes, infinite loops, or resource exhaustion.
NVD Description
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process…
more
in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file.
Deeper analysisAI
CVE-2025-57350 is a prototype pollution vulnerability in the csvtojson package, a Node.js tool for converting CSV data to JSON with customizable parsing capabilities, affecting versions prior to 2.0.10. The flaw occurs in the parser_jsonarray component due to insufficient sanitization of nested header names during CSV parsing. Specially crafted header fields referencing prototype chains, such as those using __proto__ syntax, can unintentionally modify properties of the base Object prototype when processing malicious CSV input.
Remote attackers require no privileges or user interaction beyond supplying a malicious CSV file to exploit this vulnerability over the network with low complexity. Exploitation can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, especially those processing untrusted CSV data. The CVSS v3.1 base score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), reflecting high confidentiality impact alongside low integrity and availability impacts, and it is associated with CWE-1321.
Advisories recommend upgrading to csvtojson version 2.0.10 or later to mitigate the issue through improved sanitization. Further details are documented in the GitHub issue at https://github.com/Keyang/node-csvtojson/issues/498, with a proof-of-concept available at https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57350.
Details
- CWE(s)