CVE-2025-57318
Description
A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A prototype pollution vulnerability in csvjson's toCsv function up to version 5.1.0 allows attackers to cause denial of service via crafted input.
The csvjson npm package, a library for CSV and JSON conversion, is vulnerable to prototype pollution in its toCsv function. The flaw resides in the addDataInSchema helper, which improperly handles user-supplied input, allowing an attacker to inject arbitrary properties into Object.prototype [1][3].
Exploitation requires no authentication and can be achieved by supplying a crafted CSV payload to an application using the vulnerable function. The attacker only needs network access to deliver the payload, making this a low-complexity attack [2].
The minimum impact is denial of service (DoS) due to prototype pollution, but in contexts where the modified prototype is later accessed, arbitrary code execution may also be possible [3]. As of the latest release (version 5.1.0), no patch has been provided, leaving all versions up to and including 5.1.0 affected [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
csvjsonnpm | <= 5.1.0 | — |
Affected products
2- csvjson/csvjsondescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.