CVE-2022-22121
📋 TL;DR
CVE-2022-22121 is a CSV injection vulnerability in NocoDB that allows low-privileged attackers to inject malicious formulas into exported CSV files. When administrators export and open these files in spreadsheet applications like Excel, the formulas execute, potentially leading to command execution or data theft. This affects NocoDB instances with versions 0.81.0 through 0.83.8.
💻 Affected Systems
- NocoDB
📦 What is this software?
Nocodb by Nocodb
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on administrator's workstation when malicious CSV is opened in vulnerable spreadsheet software, potentially leading to full system compromise.
Likely Case
Data exfiltration or local command execution on administrator's machine when CSV is opened in Excel or similar applications.
If Mitigated
Limited to formula errors or benign behavior if CSV is opened in text editors or with proper spreadsheet security settings.
🎯 Exploit Status
Exploitation requires low-privileged user access and social engineering to get administrator to export/open CSV file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.83.9 and later
Vendor Advisory: https://github.com/nocodb/nocodb/commit/079e3abe
Restart Required: Yes
Instructions:
1. Update NocoDB to version 0.83.9 or later. 2. Restart the NocoDB service. 3. Verify the fix by checking version and testing CSV export functionality.
🔧 Temporary Workarounds
Disable CSV export for low-privileged users
allRestrict CSV export capabilities to administrators only or disable entirely for user management endpoints.
Configure NocoDB permissions to remove export capabilities from low-privileged roles
Educate administrators on safe CSV handling
allTrain administrators to open CSV files in text editors first or use spreadsheet security settings to disable formula execution.
🧯 If You Can't Patch
- Implement strict user permission controls to prevent low-privileged users from creating tables or accessing export functions.
- Monitor and audit CSV export activities and user table creation for suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check NocoDB version via web interface or configuration files. If version is between 0.81.0 and 0.83.8 inclusive, system is vulnerable.Check Version:
Check NocoDB web interface dashboard or examine package.json/configuration files for version information.Verify Fix Applied:
After updating to 0.83.9+, test CSV export functionality and verify formulas are properly sanitized in exported files.📡 Detection & Monitoring
Log Indicators:
- Unusual CSV export activities from low-privileged users
- Multiple table creation events from single user accounts
Network Indicators:
- CSV file downloads from NocoDB user management endpoints
SIEM Query:
source="nocodb" AND (event="export_csv" OR event="table_create") AND user_role="low_privilege"