Listen to this Post
The vulnerability in csvtojson arises from improper input sanitization of nested column headers during CSV-to-JSON conversion. The `parser_jsonarray` component fails to validate if a header key represents a legitimate object property or a dangerous prototype path. When a CSV file contains a header like __proto__.polluted, the library’s parsing logic traverses the prototype chain instead of creating a simple property on the target object. This allows an attacker to inject properties into the base Object.prototype. Since all objects in JavaScript inherit from this prototype, these injected properties become accessible throughout the application, potentially causing a denial of service by modifying fundamental methods like `toString` or valueOf, or leading to other unexpected behaviors when the application logic depends on the integrity of the prototype chain.
Platform: Node.js
Version: <2.0.10
Vulnerability: Prototype Pollution
Severity: Moderate
date: 2024-09-24
Prediction: Patch expected 2024-09-27
What Undercode Say:
npm audit --audit-level moderate cat payload.csv <strong>proto</strong>.polluted,value injected,malicious_data
const csv2json = require('csvtojson');
csv2json().fromFile('payload.csv').then(() => {
console.log({}.polluted); // Output: 'malicious_data'
});
How Exploit:
Craft a CSV file with a header targeting the prototype (e.g., __proto__.isAdmin). When processed by a vulnerable csvtojson instance, the `isAdmin` property is polluted on the Object prototype. Subsequent checks for `if (user.isAdmin)` in the application might then evaluate to true for any user object that does not have its own `isAdmin` property, leading to a privilege escalation or application crash.
Protection from this CVE
Upgrade csvtojson to version 2.0.10 or later. The patch implements proper key sanitization, preventing traversal of the prototype chain via header names. For immediate mitigation, validate and sanitize all CSV header inputs before processing, rejecting any keys containing problematic sequences like __proto__, constructor, or prototype.
Impact:
Denial of Service (DoS) through application crash by polluting fundamental object methods. Potential for arbitrary code execution if the application uses polluted properties in unsafe functions, though this is less common. The main impact is application instability and unexpected behavior.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
