Skip to main content

json-2-csv EUVDEUVD-2026-32721

| CVE-2026-9673 MEDIUM
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-05-28 report@snyk.io GHSA-g27c-q7cp-mhx6
5.5
CVSS 4.0 · Vendor: snyk
Share

Severity by source

Vendor (snyk) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
6.1 MEDIUM
qualitative

Primary rating from Vendor (snyk).

CVSS VectorVendor: snyk

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 07:01 EUVD
Source Code Evidence Fetched
May 28, 2026 - 06:33 vuln.today
Analysis Generated
May 28, 2026 - 06:33 vuln.today

DescriptionCVE.org

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

AnalysisAI

CSV Injection protection bypass in json-2-csv (npm) allows formula injection to survive the preventCsvInjection sanitization option when injection characters are preceded by leading spaces. Versions 3.15.0 through 5.5.10 are affected. An attacker who can supply JSON input values with space-prefixed formula strings (e.g., ' =SUM(A1:A10)') causes the resulting CSV to carry live spreadsheet formulas, which execute when a recipient opens the file in Excel, Google Sheets, or LibreOffice. Publicly available exploit code exists (Snyk/Gist POC); no confirmed active exploitation (not in CISA KEV).

Technical ContextAI

json-2-csv is a widely-used Node.js/TypeScript npm package that converts JSON objects to CSV strings. The preventCsvInjection option was designed to neutralize CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) by stripping leading characters that trigger spreadsheet formula execution: equals (=), plus (+), minus (-), at (@), tab (0x09), and carriage return (0x0D). The flawed sanitization regex was /^[=+\-@\t\r]+/g, which anchored the match at the very start of the string. By prepending one or more space characters before the formula character, an attacker bypasses this anchor, as the regex does not account for leading whitespace. The corrected regex /^[ \t\r]*[=+\-@\t\r]+/g consumes optional leading spaces before stripping injection characters. The root cause is an incomplete character class at the regex anchor rather than a conceptual design flaw, making this a narrow, precise bypass of an existing security control.

RemediationAI

Upgrade json-2-csv to version 5.5.11 or later, which contains the fix committed in upstream commit 0fdd0bb6d0273178cd940afc323ccbce19688229 (https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229). This is the definitive fix; the patched regex correctly strips leading whitespace before formula characters. If an immediate upgrade is not feasible, a compensating control is to sanitize field values in application code before passing them to json-2-csv: strip or replace leading whitespace from all string fields so the original preventCsvInjection regex can match. Note that this workaround must be applied consistently across all input paths and carries the side effect of altering legitimate field values that begin with spaces. An alternative workaround is to wrap output CSV fields in double quotes and apply application-level escaping of formula characters, though this adds complexity. The Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326 provides additional remediation guidance.

Vendor StatusVendor

Share

EUVD-2026-32721 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy