CVE-2025-62417
bagisto has CSV Formula Injection in Create New Product
Description
### Summary When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros). ### Details Spreadsheet applications treat cell text that begins with characters =, +, -, @ as formulas. If unescaped, spreadsheet will interpret and evaluate the content when the file is opened. The application fails to neutralize/escape leading formula characters when generating CSV or when accepting CSV import fields for display/export. ### PoC Insert CSV formula to the product name field, and save the changes. Export it to CSV file, open it and the calc.exe will be executed. Other CSV export functions are affected as well. http://127.0.0.1/admin/catalog/products/edit/1 <img width="408" height="302" alt="image" src="https://github.com/user-attachments/assets/2c6fd1e3-6725-4bf4-9c64-20cd57f4e279" /> <img width="1696" height="854" alt="image" src="https://github.com/user-attachments/assets/911a69ae-65ac-4a8a-ad8e-63571a9610c8" /> ### Impact Data exfiltration: Using spreadsheet functions (e.g., WEBSERVICE, HYPERLINK, or concatenation to create requests) on victims' machines that make network calls. Remote command execution: In some historical cases, specially crafted formulas and older Excel behaviors can lead to RCE. Modern Excel hardens many of these, but risk remains depending on environment.
How to fix CVE-2025-62417
To remediate CVE-2025-62417, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.8 or later
Is CVE-2025-62417 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.