Insecure Deserialization Flaw in Goodby-CSV Library by Handcrafted in the Alps
CVE-2025-49597

3.9LOW

Key Information:

Vendor: Handcraftedinthealps
Status: Goodby-csv
Vendor: CVE Published:; 13 June 2025

🔔 Create Handcraftedinthealps Vulnerability Alert

What is CVE-2025-49597?

The Goodby-CSV library, known for its memory efficiency and flexibility in handling CSV imports and exports, contains a vulnerability that allows for insecure deserialization. This issue arises when the library is used in a manner that could be exploited utilizing a 'gadget chain' of methods when an application deserializes untrusted data. Although this vulnerability itself does not directly result in a threat, it can be leveraged to achieve remote code execution if combined with other vulnerabilities in the application. The issue has been addressed in version 1.4.3, which users are strongly encouraged to upgrade to.

Affected Version(s)

goodby-csv < 1.4.3

References

https://github.com/handcraftedinthealps/goodby-csv/securi...

x_refsource_CONFIRM

https://github.com/handcraftedinthealps/goodby-csv/commit...

x_refsource_MISC

CVSS V3.1

Score:

3.9

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
Jun 6, 2025