SecuriTricks - CVE-2025-49597

Description

handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3.

Product(s) Impacted

Vendor	Product	Versions
Handcraftedinthealps	Goodby-csv	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	handcraftedinthealps	goodby-csv	/	/	/	/	/	/	/	/

References

https://github.com/handcraftedinthealps/goodby-csv/commit/acd14c6ed85116bb2cb4da35ab62821e5cf54519

https://github.com/handcraftedinthealps/goodby-csv/security/advisories/GHSA-x3c7-22c8-prg7

CVSS Score

3.9 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: HIGH
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

View Vector String

Timeline

Published: June 13, 2025, 8:15 p.m.
Last Modified: June 13, 2025, 8:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-49597