DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XF4V-W5X5-PV79: GHSA-XF4V-W5X5-PV79: CSV Formula Injection in Spree Customer Export

#security #cve #cybersecurity #ghsa

GHSA-XF4V-W5X5-PV79: CSV Formula Injection in Spree Customer Export

Vulnerability ID: GHSA-XF4V-W5X5-PV79
CVSS Score: 5.1
Published: 2026-06-04

A CSV Formula Injection vulnerability (CWE-1236) exists in the Spree headless eCommerce platform within the customer export functionality. An unauthenticated attacker can register a customer profile containing malicious formula sequences in fields like the first name or last name. When an administrator exports the customer data to a CSV file and opens it in a spreadsheet application, the spreadsheet engine can interpret and execute these formulas, potentially leading to remote command execution on the administrator's workstation or out-of-band data exfiltration.

TL;DR

Unauthenticated users can inject malicious spreadsheet formulas into customer profile fields in Spree. When an administrator exports customer data to CSV and opens it in Microsoft Excel or LibreOffice, the formulas can execute arbitrary commands or silently exfiltrate sensitive data.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1236
  • Attack Vector: Network (Unauthenticated)
  • CVSS v4.0 Score: 5.1 (Medium)
  • Exploit Status: Proof-of-Concept
  • Impact: Workstation Compromise / Data Leakage
  • Affected Component: Spree::Csv::CustomerPresenter

Affected Systems

  • Spree Commerce headless platform (RubyGems package 'spree')
  • spree: >= 5.2.0, < 5.2.8 (Fixed in: 5.2.8)
  • spree: >= 5.3.0, < 5.3.6 (Fixed in: 5.3.6)
  • spree: >= 5.4.0, < 5.4.3 (Fixed in: 5.4.3)

Mitigation Strategies

  • Upgrade the Spree dependency to version 5.2.8, 5.3.6, or 5.4.3 or higher.
  • Apply structural sanitization using prepended single quotes on all exported CSV fields.
  • Configure office spreadsheet suites to disable Dynamic Data Exchange (DDE) and automatic link updates.

Remediation Steps:

  1. Identify the current Spree version installed using bundle info spree.
  2. Modify your Gemfile to require a patched version of Spree (e.g., gem 'spree', '~> 5.4.3').
  3. Run bundle update spree to pull and install the secured version.
  4. Deploy the updated application to production and verify that customer exports prepend a single quote to formula-initiating characters.

References

Read the full report for GHSA-XF4V-W5X5-PV79 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)