{
	"id": "cf3b0ed2-229e-401f-88e0-4a10a67aa1dc",
	"created_at": "2026-04-06T01:29:05.146929Z",
	"updated_at": "2026-04-10T13:12:15.360003Z",
	"deleted_at": null,
	"sha1_hash": "3b904f7f73e12f3549540783f82012475b1f1062",
	"title": "CSV Injection | OWASP Foundation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59679,
	"plain_text": "CSV Injection | OWASP Foundation\r\nArchived: 2026-04-06 00:23:24 UTC\r\nAuthor: Timo Goosen, Albinowax\r\nContributor(s): kingthorin, Prasun Srivastav\r\nCSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.\r\nWhen a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting\r\nwith = will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key\r\nattacks:\r\nHijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-\r\n3524.\r\nHijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets\r\nthat they downloaded from their own website.\r\nExfiltrating contents from the spreadsheet, or other open spreadsheets.\r\nThis attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate\r\nit, ensure that no cells begin with any of the following characters:\r\n⚠️ Important (Microsoft Excel behavior)\r\nMicrosoft Excel may remove quotes or escape characters from CSV cells when a file is saved and re-opened. As a\r\nresult, commonly suggested CSV injection mitigations may fail and previously escaped formulas may become\r\nactive again.\r\nEquals to ( = )\r\nPlus ( + )\r\nMinus ( - )\r\nAt ( @ )\r\nTab ( 0x09 )\r\nCarriage return ( 0x0D )\r\nLine feed ( 0x0A )\r\nFull-width (double-byte) variants of formula-initiating characters such as ＝ , ＋ , － , and ＠ , which\r\nmay be interpreted as formulas in some locales (e.g., Japanese environments).\r\nKeep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters.\r\nYou also need to take care of the field separator (e.g., , , ; ) and quotes (e.g., \" , ' ), as attackers could use\r\nthis to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning\r\nof a cell.\r\nhttps://owasp.org/www-community/attacks/CSV_Injection\r\nPage 1 of 2\n\nAlternatively, apply the following sanitization to each field of the CSV, so that their content will be read as text by\r\nthe spreadsheet editor:\r\nWrap each cell field in double quotes\r\nPrepend each cell field with a single quote\r\nEscape every double quote using an additional double quote\r\nNote: The above techniques are not reliable in Microsoft Excel after saving and re-opening the CSV file.\r\nTwo examples:\r\nInput Escaped Output\r\n=1+2\";=1+2 \"'=1+2\"\";=1+2\"\r\n=1+2'\" ;,=1+2 \"'=1+2'\"\" ;,=1+2\"\r\nExcel-resistant mitigation\r\nTo reliably prevent formula execution in Microsoft Excel, prefix any cell starting with = , + , - , or @ with a\r\ntab character ( 0x09 ) inside the quoted field.\r\nThis behavior has been observed in Microsoft Excel and may differ in other spreadsheet applications.\r\nInput Escaped Output\r\n=1+2 \"\\t=1+2\"\r\n⚠️ Trade-off\r\nThe tab character remains part of the underlying data and may affect downstream processing if the CSV is later\r\nimported programmatically. This mitigation is best suited for CSV files intended for human viewing in\r\nspreadsheet applications.\r\nThere is no universal CSV sanitization strategy that is safe for all spreadsheet applications and all downstream\r\nconsumers.\r\nFor further information, please refer to the following articles:\r\nStealing Google Docs via CSV Injection\r\nSource: https://owasp.org/www-community/attacks/CSV_Injection\r\nhttps://owasp.org/www-community/attacks/CSV_Injection\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://owasp.org/www-community/attacks/CSV_Injection"
	],
	"report_names": [
		"CSV_Injection"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438945,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b904f7f73e12f3549540783f82012475b1f1062.pdf",
		"text": "https://archive.orkl.eu/3b904f7f73e12f3549540783f82012475b1f1062.txt",
		"img": "https://archive.orkl.eu/3b904f7f73e12f3549540783f82012475b1f1062.jpg"
	}
}