Login Sign Up

CVE-2022-21241

9.6 CRITICAL
Cross-Site Scripting

📋 TL;DR

CVE-2022-21241 is a cross-site scripting vulnerability in CSV+ versions prior to 0.8.1 that allows remote unauthenticated attackers to inject malicious scripts or OS commands via specially crafted CSV files containing HTML anchor tags. This affects any system using vulnerable CSV+ library versions to process CSV files from untrusted sources.

💻 Affected Systems

Products:
  • CSV+
Versions: All versions prior to 0.8.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using CSV+ library to parse CSV files from untrusted sources is vulnerable.

📦 What is this software?

Csv\+ by Csv\+ Project

View all CVEs affecting Csv\+ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through OS command execution leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Cross-site scripting attacks leading to session hijacking, credential theft, or defacement of web applications using CSV+.

🟢

If Mitigated

Limited impact with proper input validation and output encoding preventing script execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only a malicious CSV file to be processed by vulnerable CSV+ implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.1

Vendor Advisory: https://github.com/plusone-masaki/csv-plus/releases/tag/v0.8.1

Restart Required: No

Instructions:

1. Update CSV+ to version 0.8.1 or later. 2. For package managers: 'npm update csv-plus' or equivalent. 3. Verify installation with version check.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to reject CSV files containing HTML tags or suspicious content.

Implement server-side validation to scan CSV files for <a> tags and other HTML elements before processing.

Output Encoding

all

Apply proper output encoding when displaying CSV content in web applications.

Use HTML entity encoding for all user-controlled content displayed in web interfaces.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to prevent script execution.
  • Isolate CSV processing to dedicated sandboxed environments with limited permissions.

🔍 How to Verify

Check if Vulnerable:

Check package.json or dependency manifest for CSV+ version below 0.8.1.

Check Version:

npm list csv-plus | grep csv-plus

Verify Fix Applied:

Confirm CSV+ version is 0.8.1 or higher in package dependencies.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CSV file processing errors
  • Unexpected script execution in web logs
  • CSV files with embedded HTML content

Network Indicators:

  • CSV file uploads containing HTML tags
  • Unexpected outbound connections after CSV processing

SIEM Query:

source="web_server" AND ("CSV" OR ".csv") AND ("<a" OR "href=" OR "javascript:")

📊 Metadata

CVE ID: CVE-2022-21241
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: February 8, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21241, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)