Executive Summary

CVE-2026-9673 is a CSV Injection vulnerability in the json-2-csv npm package, affecting versions from 3.15.0 up to 5.5.10. The vulnerability arises because the preventCsvInjection option, which is supposed to block malicious formulas in CSV files, can be bypassed. Attackers can inject formulas into CSV files by inserting leading spaces before formula characters (like '='), causing these formulas to execute when the CSV file is opened in spreadsheet applications such as Microsoft Excel.

The root cause is a flawed regular expression in the preventCsvInjection function that only removes dangerous characters if they appear at the very start of a string, but not if they appear after whitespace or use Unicode variants. This allows attackers to craft CSV content that executes arbitrary formulas upon opening.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to several security impacts if exploited. Malicious formulas injected into CSV files can execute automatically when the file is opened in spreadsheet software, potentially leading to data exfiltration, information disclosure, or manipulation of calculations.

• Data exfiltration by reading arbitrary cells using formulas like INDIRECT.
• Information disclosure by revealing values through formulas like MAX.
• Manipulation of calculations by altering totals or other computed values.

Because the vulnerability requires local access to the system and does not need special privileges or user interaction, it poses a significant risk in environments where CSV files are generated and shared.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by analyzing CSV files generated by the json-2-csv package for the presence of injected formulas that start with characters like '=', '+', '-', or '@', especially if these characters appear after leading whitespace.

One approach is to search CSV files for lines containing formulas that could execute in spreadsheet applications. For example, you can use command-line tools to find suspicious CSV content.

• Use grep to find lines starting with or containing formulas preceded by spaces: grep -E '^[^,]*[ \t]*[=+\-@]' *.csv
• Use a script or tool to analyze CSV files for cells starting with whitespace followed by formula characters, which bypass the preventCsvInjection option.

Additionally, tools that scan dependencies for vulnerable versions of json-2-csv can help detect if your system is at risk.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the json-2-csv package to version 5.5.11 or later, where the vulnerability has been fixed by improving the preventCsvInjection option.

This fix includes enhanced sanitization that removes dangerous formula characters even if they appear after leading whitespace, preventing CSV injection attacks.

Until the upgrade is applied, avoid opening CSV files generated by vulnerable versions in spreadsheet applications without first inspecting or sanitizing them.

Consider implementing additional input validation or escaping on data that will be converted to CSV to prevent injection of malicious formulas.

Useful 0 Not Useful 0