Login Sign Up

CVE-2022-28481

9.8 CRITICAL

📋 TL;DR

The CSV-Safe gem versions before 3.0.0 fail to properly sanitize special characters in CSV output, allowing CSV injection attacks. This vulnerability enables attackers to inject formulas or commands that execute when the CSV file is opened in spreadsheet applications like Excel or LibreOffice. Any Ruby application using vulnerable versions of the csv-safe gem to generate CSV files is affected.

💻 Affected Systems

Products:
  • csv-safe Ruby gem
Versions: All versions < 3.0.0
Operating Systems: All operating systems running Ruby applications with csv-safe gem
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that use csv-safe to generate CSV files that users might open in spreadsheet applications.

📦 What is this software?

Csv Safe by Csv Safe Project

View all CVEs affecting Csv Safe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary commands on victim machines when malicious CSV files are opened, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Attackers trick users into opening malicious CSV files that execute formulas or commands, potentially stealing credentials, installing malware, or performing unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, the risk is limited to users who intentionally open untrusted CSV files in spreadsheet applications.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CSV injection techniques are well-documented and easy to implement. The vulnerability requires user interaction (opening the CSV file).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0

Vendor Advisory: https://github.com/zvory/csv-safe

Restart Required: No

Instructions:

1. Update Gemfile to specify 'csv-safe', '>= 3.0.0'. 2. Run 'bundle update csv-safe'. 3. Test CSV generation functionality.

🔧 Temporary Workarounds

Manual CSV sanitization

all

Implement custom sanitization of CSV output to escape special characters like =, +, -, @

# In Ruby code, manually escape dangerous characters
csv_data = data.gsub(/^[=+\-@]/, "'\0")

🧯 If You Can't Patch

  • Implement strict input validation on all data before passing to csv-safe
  • Educate users to never open CSV files from untrusted sources in spreadsheet applications

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock or run 'bundle show csv-safe' to see installed version

Check Version:

bundle show csv-safe | grep csv-safe

Verify Fix Applied:

Verify version is >= 3.0.0 and test CSV generation with malicious input

📡 Detection & Monitoring

Log Indicators:

  • Unusual CSV generation patterns, large CSV file downloads

Network Indicators:

  • CSV file downloads containing formula characters (=, +, -, @) at start of cells

SIEM Query:

source="web_logs" AND uri="*.csv" AND (payload="=cmd|" OR payload="+cmd|" OR payload="-cmd|")

📊 Metadata

CVE ID: CVE-2022-28481
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: May 1, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28481, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)