CVE-2025-67851 – A formula injection vulnerability in Moodle all... (How to Fix)

Q: What is the severity of CVE-2025-67851?

CVE-2025-67851 has a CVSS score of 6.1 (MEDIUM). A formula injection vulnerability in Moodle allows remote attackers to embed malicious formulas in exported data. When users export this data and open it in spreadsheet applications like Excel or LibreOffice, arbitrary formulas can execute, potentially compromising data integrity. This affects all Moodle instances with data export functionality enabled.

📋 TL;DR

A formula injection vulnerability in Moodle allows remote attackers to embed malicious formulas in exported data. When users export this data and open it in spreadsheet applications like Excel or LibreOffice, arbitrary formulas can execute, potentially compromising data integrity. This affects all Moodle instances with data export functionality enabled.

💻 Affected Systems

Products:

Moodle

Versions: Specific versions not yet published in CVE description; likely affects multiple recent versions

Operating Systems: All platforms running Moodle

Default Config Vulnerable: ⚠️ Yes

Notes: Requires data export functionality to be enabled and users to export data to spreadsheet format

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary formulas in spreadsheets, potentially leading to data corruption, information disclosure via external calls, or execution of malicious macros if combined with other vulnerabilities.

🟠

Likely Case

Data integrity issues in exported spreadsheets, potential for phishing attacks via formula execution, and spreadsheet corruption affecting business operations.

🟢

If Mitigated

Limited to spreadsheet-level impact without affecting the Moodle server itself; proper input validation prevents exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires attacker to have ability to input data that gets exported, and victim to open exported spreadsheet in vulnerable spreadsheet application

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Moodle security advisories for specific patched versions

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=471301

Restart Required: No

Instructions:

1. Check Moodle security advisory for patched version. 2. Backup your Moodle installation. 3. Update to the patched version using Moodle's update mechanism. 4. Verify export functionality works correctly.

🔧 Temporary Workarounds

Disable data export functionality

all

Temporarily disable data export features in Moodle until patched

Navigate to Site administration > Advanced features > Enable data export (uncheck)

Implement input validation

all

Add custom validation to sanitize data before export

Implement input filtering in custom code to escape formula characters (=, +, -, @) before export

🧯 If You Can't Patch

Educate users to never open exported spreadsheets from untrusted sources
Configure spreadsheet applications to disable automatic formula execution

🔍 How to Verify

Check if Vulnerable:

Check if your Moodle version is within affected range by comparing with Moodle security advisory

Check Version:

Navigate to Site administration > Notifications in Moodle admin panel to see current version

Verify Fix Applied:

Test data export functionality with formula characters and verify they are properly escaped in output

📡 Detection & Monitoring

Log Indicators:

Unusual export activity patterns
Multiple failed export attempts

Network Indicators:

Large data export requests containing formula characters

SIEM Query:

source="moodle_logs" AND (event="data_export" AND data CONTAINS "=")

📊 Metadata

CVE ID: CVE-2025-67851

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

CWE: CWE-1236

EPSS Score: 0.04% exploit probability (12.7th percentile)

Published: February 3, 2026

Last Updated: February 11, 2026

🔗 References

https://access.redhat.com/security/cve/CVE-2025-67851 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2423841 Issue Tracking,Third Party Advisory
https://moodle.org/mod/forum/discuss.php?d=471301 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67851, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Moodle by Moodle

Moodle by Moodle

Moodle by Moodle

Moodle by Moodle

Moodle by Moodle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable data export functionality

Implement input validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities