CVE-2025-62417
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-16

Last updated on: 2025-10-22

Assigner: GitHub, Inc.

Description
Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application β€” potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros). This vulnerability is fixed in 2.3.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-16
Last Modified
2025-10-22
Generated
2026-06-16
AI Q&A
2025-10-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62417
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webkul bagisto 2.3.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Bagisto, an open source Laravel eCommerce platform, when product data starting with spreadsheet formula characters (such as =, +, -, or @) is accepted and later exported or saved into a CSV file. When this CSV is opened in spreadsheet software, the software interprets these cells as formulas. An attacker can exploit this by supplying a CSV field containing a malicious formula, which may be evaluated by the victim's spreadsheet application, potentially leading to data exfiltration or remote command execution through older Excel exploits or macros.

Impact Analysis

This vulnerability can lead to serious impacts including unauthorized data exfiltration and remote command execution on the victim's system. If a user opens a maliciously crafted CSV file exported from Bagisto, their spreadsheet software might execute harmful formulas or macros, potentially compromising sensitive data or allowing attackers to run commands remotely on the user's machine.

Mitigation Strategies

Update Bagisto to version 2.3.8 or later, where this vulnerability is fixed. Additionally, avoid opening CSV files from untrusted sources in spreadsheet software without proper sanitization, especially if the CSV fields may begin with spreadsheet formula characters such as =, +, -, or @.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart