CVE-2025-57318: 
JavaScript vulnerability analysis and mitigation

A Prototype Pollution vulnerability exists in the toCsv function of csvjson versions through 5.1.0. The vulnerability allows attackers to inject properties on Object.prototype via supplying a crafted payload, which can lead to denial of service (DoS) as the minimum consequence. The vulnerability was disclosed on September 24, 2025 (NVD, Miggo).

The vulnerability is identified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). It has received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue specifically affects the toCSV function in the library, which fails to properly validate keys during JSON to CSV conversion, allowing manipulation of the Object.prototype (Miggo).

The primary impact of this vulnerability is the potential for denial of service (DoS) attacks. When exploited, attackers can inject malicious properties into Object.prototype, which can affect the application's behavior and potentially cause service disruptions (NVD).

Currently, there is no patched version available for this vulnerability. Users of csvjson should monitor for updates and consider implementing input validation controls or exploring alternative libraries until a fix is released (NVD).