json-2-csv CSV Injection Vulnerability

A CSV injection vulnerability has been identified in the json-2-csv package, affecting versions 3.15.0 prior to 5.5.11. The vulnerability arises from the preventCsvInjection option, which can be bypassed, allowing attackers to inject formulas into CSV files. These injected formulas are executed when the files are opened in spreadsheet applications.

Impact

Exploitation of this vulnerability allows for CSV injection, where injected formulas are executed in spreadsheet applications, potentially leading to unauthorized data manipulation or disclosure.

Reproduction

To reproduce this vulnerability, install json-2-csv version 5.5.10 and use the library to convert data into CSV format with the preventCsvInjection option enabled. Include a value that bypasses the CSV injection prevention, such as a formula preceded by spaces or using a fullwidth equals sign. Once the CSV file is generated, open it in a spreadsheet application like Excel or Numbers to verify that the injected formula executes.

Remediation

Upgrade json-2-csv to version 5.5.11 or higher.