VDB
KO
MEDIUM 6.8

GHSA-g27c-q7cp-mhx6

json-2-csv vulnerable to CSV Injection via the preventCsvInjection optio

Details

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / json-2-csv
Introduced in: 3.15.0 Fixed in: 5.5.11
Fix npm install json-2-csv@5.5.11

References