CVE-2026-9673
CSV Injection Bypass in json-2-csv Library
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9673 is a CSV Injection vulnerability in the json-2-csv npm package, affecting versions from 3.15.0 up to 5.5.10. The vulnerability arises because the preventCsvInjection option, which is supposed to block malicious formulas in CSV files, can be bypassed. Attackers can inject formulas into CSV files by inserting leading spaces before formula characters (like '='), causing these formulas to execute when the CSV file is opened in spreadsheet applications such as Microsoft Excel.
The root cause is a flawed regular expression in the preventCsvInjection function that only removes dangerous characters if they appear at the very start of a string, but not if they appear after whitespace or use Unicode variants. This allows attackers to craft CSV content that executes arbitrary formulas upon opening.
How can this vulnerability impact me? :
This vulnerability can lead to several security impacts if exploited. Malicious formulas injected into CSV files can execute automatically when the file is opened in spreadsheet software, potentially leading to data exfiltration, information disclosure, or manipulation of calculations.
- Data exfiltration by reading arbitrary cells using formulas like INDIRECT.
- Information disclosure by revealing values through formulas like MAX.
- Manipulation of calculations by altering totals or other computed values.
Because the vulnerability requires local access to the system and does not need special privileges or user interaction, it poses a significant risk in environments where CSV files are generated and shared.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing CSV files generated by the json-2-csv package for the presence of injected formulas that start with characters like '=', '+', '-', or '@', especially if these characters appear after leading whitespace.
One approach is to search CSV files for lines containing formulas that could execute in spreadsheet applications. For example, you can use command-line tools to find suspicious CSV content.
- Use grep to find lines starting with or containing formulas preceded by spaces: grep -E '^[^,]*[ \t]*[=+\-@]' *.csv
- Use a script or tool to analyze CSV files for cells starting with whitespace followed by formula characters, which bypass the preventCsvInjection option.
Additionally, tools that scan dependencies for vulnerable versions of json-2-csv can help detect if your system is at risk.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the json-2-csv package to version 5.5.11 or later, where the vulnerability has been fixed by improving the preventCsvInjection option.
This fix includes enhanced sanitization that removes dangerous formula characters even if they appear after leading whitespace, preventing CSV injection attacks.
Until the upgrade is applied, avoid opening CSV files generated by vulnerable versions in spreadsheet applications without first inspecting or sanitizing them.
Consider implementing additional input validation or escaping on data that will be converted to CSV to prevent injection of malicious formulas.