Describe the bug
Prototype Pollution vulnerability in csv-parse when using objname and columns options together. A malicious CSV file can overwrite the prototype of the records object returned in the parse callback.
- Affected version: csv-parse v6.2.0
- File:
packages/csv-parse/lib/index.js:110
- Sink:
records[record[0]] = record[1]
- Auth required: No
- CVSS: 6.5 (Medium) AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
disclosure-report.md
REGISTRY.md
To Reproduce
import { parse } from 'csv-parse';
const input = `key,value\n__proto__,polluted\n`;
parse(input, { objname: 'key', columns: true }, (err, records) => {
console.log('Polluted:', Object.getPrototypeOf(records) !== Object.prototype);
// Output: true
});Additional context
When __proto__ is used as a column value, records['__proto__'] is assigned, overwriting the prototype of the result object. This can lead to logic bypasses in applications that process the result object further.
Similar pattern to CVE-2022-24760.
Describe the bug
Prototype Pollution vulnerability in csv-parse when using
objnameandcolumnsoptions together. A malicious CSV file can overwrite the prototype of therecordsobject returned in the parse callback.packages/csv-parse/lib/index.js:110records[record[0]] = record[1]disclosure-report.md
REGISTRY.md
To Reproduce
Additional context
When
__proto__is used as a column value,records['__proto__']is assigned, overwriting the prototype of the result object. This can lead to logic bypasses in applications that process the result object further.Similar pattern to CVE-2022-24760.