PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9673 json-2-csv CVE debrief

A CSV injection vulnerability exists in the json-2-csv npm package versions 3.15.0 through 5.5.10. The `preventCsvInjection` option, intended to block formula injection attacks, can be bypassed. An attacker can embed malicious formulas into CSV output that execute when opened in spreadsheet applications such as Microsoft Excel or LibreOffice Calc. This represents a client-side code execution risk when victims open attacker-influenced CSV files. The vulnerability was disclosed on 2026-05-28 and assigned CVSS 4.0 score 5.5 (MEDIUM). A fix is available in version 5.5.11 via commit 0fdd0bb6d0273178cd940afc323ccbce19688229.

Vendor
json-2-csv
Product
json-2-csv
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations using json-2-csv to generate CSV files from user-controlled data, particularly those distributing reports to end users who open them in Excel or similar applications. Developers building data export functionality in Node.js web applications, reporting tools, or administrative interfaces should prioritize patching.

Technical summary

The json-2-csv library provides JSON-to-CSV conversion for Node.js applications. Versions 3.15.0 through 5.5.10 include a `preventCsvInjection` option that attempts to neutralize formula injection by prepending a single quote to dangerous cell values. The bypass allows attackers to circumvent this protection, embedding executable formulas (e.g., =cmd|' /C calc'!A0) that spreadsheet applications evaluate on file open. The attack requires local access to the generated CSV file (AV:L) but needs no privileges or user interaction during generation. Impact is high to confidentiality (VC:H) with limited integrity impact (VI:L) as arbitrary command execution via DDE or similar mechanisms may expose sensitive data or enable further system compromise. The fix in 5.5.11 strengthens the injection prevention logic.

Defensive priority

medium

Recommended defensive actions

  • Upgrade json-2-csv to version 5.5.11 or later to obtain the fix for the preventCsvInjection bypass.
  • If immediate patching is not feasible, validate and sanitize all user-controlled data before passing it to json-2-csv conversion functions, particularly fields that may begin with formula-triggering characters (=, +, -,
  • @).
  • Implement output encoding that prepends single quotes to cell values starting with formula characters, or use alternative CSV libraries with robust injection protections.
  • Educate users to open untrusted CSV files with text editors rather than spreadsheet applications, and disable automatic formula execution in Excel/Calc where organizational policy permits.
  • Review application logs for CSV generation events involving user-supplied data to detect potential exploitation attempts.

Evidence notes

Vulnerability reported via Snyk (SNYK-JS-JSON2CSV-14221326). Affected versions confirmed as 3.15.0 ≤ version < 5.5.11. CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) applies. CVSS 4.0 vector: AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N. Fix commit 0fdd0bb6d0273178cd940afc323ccbce19688229 addresses the bypass.

Official resources

2026-05-28