Login Sign Up

CVE-2025-14229

4.7 MEDIUM

📋 TL;DR

This CSV injection vulnerability in SourceCodester Inventory Management System 1.0 allows attackers to inject malicious formulas into exported CSV files. When victims open these files in spreadsheet applications like Excel, the formulas can execute commands or exfiltrate data. Organizations using this specific inventory management system are affected.

💻 Affected Systems

Products:
  • SourceCodester Inventory Management System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the SVC Report Export component. Any installation with this feature enabled is vulnerable.

📦 What is this software?

Inventory Management System by Warren Daloyan

View all CVEs affecting Inventory Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on victim's machine when they open the malicious CSV file in a spreadsheet application, potentially leading to full system compromise.

🟠

Likely Case

Data exfiltration, command execution in spreadsheet context, or manipulation of spreadsheet calculations when users open exported reports.

🟢

If Mitigated

Limited impact if users open CSV files in plain text editors or with formula execution disabled in spreadsheet applications.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly disclosed. Attack requires user interaction to open the malicious CSV file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates. Consider implementing input validation and output encoding in the SVC Report Export component.

🔧 Temporary Workarounds

Disable CSV Export Feature

all

Temporarily disable the SVC Report Export functionality in the inventory management system.

Implement CSV Sanitization

all

Add server-side validation to sanitize CSV output by escaping formula characters (=, +, -, @) with a leading apostrophe.

🧯 If You Can't Patch

  • Educate users to open CSV files in plain text editors only, not spreadsheet applications
  • Implement network segmentation to restrict access to the inventory management system

🔍 How to Verify

Check if Vulnerable:

Test by exporting a report with formula injection payload (e.g., =cmd|' /C calc'!A0) and checking if it appears unsanitized in the CSV output.

Check Version:

Check the system's about page or configuration files for version information.

Verify Fix Applied:

Verify that formula characters are properly escaped in exported CSV files (prefixed with apostrophe).

📡 Detection & Monitoring

Log Indicators:

  • Unusual CSV export requests with formula-like payloads in parameters

Network Indicators:

  • CSV file downloads containing formula characters at the beginning of cells

SIEM Query:

source="web_logs" AND (uri="/export_csv" OR uri="/svc_report") AND (param CONTAINS "=" OR param CONTAINS "+" OR param CONTAINS "-" OR param CONTAINS "@")

📊 Metadata

CVE ID: CVE-2025-14229
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (15.1th percentile)
Published: December 8, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14229, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)