Security advisory for csvjson (CVE-2024-34507) #287
Description
Security Vulnerability: csvjson prototype injection (GHSA-xq4f-3jxp-qv6m)
Summary
testbeats has a transitive dependency on csvjson through performance-results-parser, which is vulnerable to prototype injection.
Vulnerability Details
| Field | Value |
|---|---|
| Severity | High |
| Package | csvjson |
| Vulnerable versions | <=5.1.0 |
| Patched versions | None available |
| Dependency path | testbeats → performance-results-parser → csvjson |
| Advisory | GHSA-xq4f-3jxp-qv6m |
Description
The csvjson package (all versions up to and including 5.1.0) is vulnerable to prototype pollution. An attacker can inject properties into JavaScript object prototypes through maliciously crafted CSV input.
Unfortunately, there is no patched version of csvjson available at this time.
Impact
This vulnerability is flagged during pnpm audit / npm audit causing CI/CD security checks to fail for projects using testbeats.
Environment
- testbeats version: 2.2.9
- Node.js: >=22
- Package manager: pnpm