MEDIUM 6.8

CVE-2026-9673: CSV Injection in json-2-csv Library (Versions ≤5.5.10)

The json-2-csv package contains a flaw in its CSV injection protection mechanism. Versions 3.15.0 through 5.5.10 allow an attacker to bypass the preventCsvInjection option and inject malicious formulas into CSV files. When a user opens these files in spreadsheet applications like Excel or Google Sheets, the formulas execute automatically, potentially leading to data exfiltration or further compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.8 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-1236
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-07-03

NVD description (verbatim)

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9673 is a CSV injection vulnerability affecting json-2-csv library versions through 5.5.10. The preventCsvInjection security feature contains a bypass that fails to properly sanitize or block formula prefixes (such as =, +, -, @, and tab characters) before they are written to CSV output. An attacker controlling input to the JSON-to-CSV conversion process can craft payloads that reach the CSV file unfiltered. When the resulting CSV is imported into a spreadsheet application, the formula executes in the context of that application, potentially executing arbitrary commands or accessing sensitive data through the spreadsheet's formula language.

Business impact

Organizations using json-2-csv in data export pipelines face risks of data theft and lateral movement. If user-controlled data flows through json-2-csv without additional sanitization, attackers can embed formulas in exported reports or data files. When business users open these files in Excel, Sheets, or similar tools, the formulas execute silently, potentially stealing credentials, accessing linked data sources, or triggering further exploitation. The risk is particularly acute in SaaS platforms, data analytics tools, and business intelligence systems that export user-generated or third-party data as CSV.

Affected systems

Any application or service using json-2-csv library versions 3.15.0 through 5.5.10 is potentially affected. This includes Node.js applications that perform JSON-to-CSV conversion for data export functionality. The vulnerability does not affect the library itself in isolation; rather, it affects downstream systems when the generated CSV files are opened in spreadsheet applications. No specific vendor products are listed in the advisory, suggesting the impact is primarily on custom implementations and smaller open-source projects that depend on json-2-csv.

Exploitability

The vulnerability has a CVSS score of 6.8 (MEDIUM) and requires no network access or authentication. An attacker needs only the ability to influence JSON input to the conversion process—either through direct application access, an API endpoint, file upload, or data import feature. The barrier to exploitation is low; standard spreadsheet formula syntax is well-documented. However, the attack requires user interaction (opening the CSV file) and relies on a spreadsheet application's willingness to execute formulas, which some organizations may have disabled via security policies. The vulnerability is not currently tracked in the CISA KEV catalog, indicating no evidence of active exploitation in the wild.

Remediation

Update json-2-csv to version 5.5.11 or later, which includes a corrected preventCsvInjection implementation. If immediate upgrading is not feasible, implement secondary validation: sanitize all user-controlled data before passing it to json-2-csv, strip or escape formula prefix characters (=, +, -, @, tab) at the application level, or configure spreadsheet applications to disable automatic formula execution on import. Additionally, educate users to be suspicious of unexpected formulas in exported data files.

Patch guidance

Verify the current version of json-2-csv in your dependencies (npm list json-2-csv or check package-lock.json). Update to version 5.5.11 or later using npm update json-2-csv or yarn upgrade json-2-csv. After patching, re-export sample data containing formula-like strings to confirm they are no longer executed when opened in a spreadsheet. In a development environment, test with payloads such as =cmd|'/c calc'!A1 to verify the preventCsvInjection option now blocks them. For applications that cannot upgrade immediately, configure temporary input validation middleware that strips leading formula characters before data reaches the conversion function.

Detection guidance

Monitor for CSV export functions that receive suspicious input patterns resembling formulas (strings beginning with =, +, -, @, or tab characters, particularly those containing pipe characters, exclamation marks, or shell commands). Review application logs for unusual data export requests, especially those combining public-facing APIs with CSV generation. In networks where possible, monitor for users opening unexpected CSV files from external or suspicious sources and opening them in spreadsheet applications. Endpoint detection and response (EDR) tools can flag spreadsheet applications spawning child processes (a common outcome of formula-based code execution).

Why prioritize this

Although the CVSS score is MEDIUM (6.8), this vulnerability warrants prompt attention because it affects a widely-used data conversion library and requires no authentication or network access to exploit. The attack surface is broad in SaaS and cloud environments where CSV export is common. Delaying patching increases the window during which sophisticated attackers could craft targeted payloads for specific applications. However, it is not critical because it requires user interaction and is not currently being exploited in the wild.

Risk score, explained

The CVSS 3.1 score of 6.8 reflects: (1) local attack vector—only users with access to the application can send input to it; (2) low complexity—the bypass requires no special conditions or deep system knowledge; (3) no authentication required; (4) high confidentiality impact—formulas can exfiltrate data; (5) low integrity impact—formulas are limited in file-system modification without user interaction; (6) no availability impact. The score does not account for the requirement that a user must open the CSV file and allow formula execution, which in practice reduces risk for organizations with security policies disabling formula execution.

Frequently asked questions

Does this vulnerability require network access to exploit?

No. An attacker needs only the ability to influence JSON input to the csv conversion function. This could occur via an API endpoint, file upload feature, or any application logic that passes user-controlled data to json-2-csv.

What happens if our spreadsheet application has macro/formula execution disabled?

You are significantly protected. If Excel, Sheets, or other tools are configured to block automatic formula execution on import, the attack cannot proceed past the file opening. However, if a user explicitly enables formula calculation after a security warning, the bypass can still be exploited.

Is patching to 5.5.11 sufficient, or do we need additional controls?

Patching is the primary fix. However, defense-in-depth suggests also sanitizing user input at the application level and educating users not to enable unexpected formulas in imported CSV files. This limits risk if a future bypass is discovered.

How does this differ from a typical CSV injection attack?

This vulnerability is specifically a bypass of the preventCsvInjection safeguard built into json-2-csv. Organizations that believed they were protected by enabling that option are actually still vulnerable; this attack directly targets that false sense of security.

This analysis is based on publicly available information as of July 3, 2026. Patch version numbers and remediation guidance should be verified against the official json-2-csv repository and GitHub security advisory. CVSS scores and severity ratings are provided by the maintainers and reflect general risk; your organization's risk may differ based on configuration, user behavior, and compensating controls. This advisory does not constitute legal or financial advice and does not guarantee protection against all exploitation techniques. Consult with your security team and the vendor for organization-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).