csvjson CVE-2025-57318
Prototype Pollution in csvjson via toSchemaObject headers.
The problem
csvjson <= 5.1.0 (all published versions) is affected by
CVE-2025-57318 (CWE-1321 Prototype Pollution). The published package has
no fix available — exactly what npm audit reports. `csvjson.toSchemaObject()` interprets dotted/bracketed CSV column headers (e.g. `name.first`) to build nested objects. With no guard on reserved property names, a header such as `__proto__.polluted` or `constructor.prototype.polluted` causes the schema builder to walk into and mutate `Object.prototype`, affecting every object in the process (the `__proto__[]` variant instead throws, a denial-of-service). The attacker only needs to control the header row of a parsed CSV.
The fix — drop-in, no code changes
Add an overrides entry so every direct and transitive dependency on
csvjson resolves to the patched fork, then reinstall:
{
"overrides": {
"csvjson": "npm:@keep-lts/csvjson@^5.1.1"
}
}Equivalent for Yarn: use resolutions. The public API is unchanged — nothing else to do.
✓ Live on npm: @keep-lts/csvjson · or install directly: npm i @keep-lts/csvjson
What we changed
`addDataInSchema` now splits each header on `.`, `[`, and `]` and rejects the header if any segment is `__proto__`, `constructor`, or `prototype`. Legitimate nested headers — and headers that merely contain those words as substrings, e.g. `constructorName` — are unaffected.
Proof of concept (the vulnerability)
const csvjson = require('csvjson');
csvjson.toSchemaObject('__proto__.polluted\nyes');
console.log(({}).polluted); // => 'yes'@keep-lts/csvjson@5.1.1How we keep it trustworthy
- Minimal, surgical patch — security only, no feature changes.
- A regression test that fails on the original and passes on the patch; legitimate behaviour preserved.
- Published under the
@keep-ltsorg with the full advisory and tests inside the package; upstream license & attribution retained.
Full advisory and changelog ship inside the package (SECURITY.md, CHANGELOG.md).