Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (snyk).
CVSS VectorVendor: snyk
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.
AnalysisAI
CSV Injection protection bypass in json-2-csv (npm) allows formula injection to survive the preventCsvInjection sanitization option when injection characters are preceded by leading spaces. Versions 3.15.0 through 5.5.10 are affected. An attacker who can supply JSON input values with space-prefixed formula strings (e.g., ' =SUM(A1:A10)') causes the resulting CSV to carry live spreadsheet formulas, which execute when a recipient opens the file in Excel, Google Sheets, or LibreOffice. Publicly available exploit code exists (Snyk/Gist POC); no confirmed active exploitation (not in CISA KEV).
Technical ContextAI
json-2-csv is a widely-used Node.js/TypeScript npm package that converts JSON objects to CSV strings. The preventCsvInjection option was designed to neutralize CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) by stripping leading characters that trigger spreadsheet formula execution: equals (=), plus (+), minus (-), at (@), tab (0x09), and carriage return (0x0D). The flawed sanitization regex was /^[=+\-@\t\r]+/g, which anchored the match at the very start of the string. By prepending one or more space characters before the formula character, an attacker bypasses this anchor, as the regex does not account for leading whitespace. The corrected regex /^[ \t\r]*[=+\-@\t\r]+/g consumes optional leading spaces before stripping injection characters. The root cause is an incomplete character class at the regex anchor rather than a conceptual design flaw, making this a narrow, precise bypass of an existing security control.
RemediationAI
Upgrade json-2-csv to version 5.5.11 or later, which contains the fix committed in upstream commit 0fdd0bb6d0273178cd940afc323ccbce19688229 (https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229). This is the definitive fix; the patched regex correctly strips leading whitespace before formula characters. If an immediate upgrade is not feasible, a compensating control is to sanitize field values in application code before passing them to json-2-csv: strip or replace leading whitespace from all string fields so the original preventCsvInjection regex can match. Note that this workaround must be applied consistently across all input paths and carries the side effect of altering legitimate field values that begin with spaces. An alternative workaround is to wrap output CSV fields in double quotes and apply application-level escaping of formula characters, though this adds complexity. The Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326 provides additional remediation guidance.
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32721
GHSA-g27c-q7cp-mhx6