Input Validation / CSV Injection

Web and API


CSV injection, also known as Formula Injection, is an attack technique used to exploit web and API applications that use comma-separated values (CSV) to store or exchange data. It is an input validation vulnerability, which is categorized as CWE-134 according to the Common Weakness Enumeration (CWE). CSV injection is a type of attack where the attacker is able to inject malicious code into a CSV file. This code can be executed by the application when the file is opened. By exploiting this vulnerability, malicious code can be executed on the system, allowing the attacker to gain access to sensitive data, or even potentially execute arbitrary code. The OWASP Testing Guide provides more information about CSV injection, including how to identify and mitigate the risk.


CSV injection is a serious security risk as it can be used to gain access to sensitive data and potentially execute arbitrary code. An attacker may be able to inject malicious code into a CSV file, which can be executed by the application when the file is opened. This could lead to the attacker gaining access to sensitive data or even potentially executing arbitrary code.


The best way to mitigate the risk of a CSV injection is to ensure that input validation is in place. All user input should be validated to ensure that it does not contain any malicious code. Additionally, input should be sanitized to ensure that only valid data is accepted. Additionally, it is important to ensure that all files are properly validated prior to being opened and executed.


The following example of CSV injection code comes from the CVE database:

=cmd|' /C calc'!A0

This code is a simple example of a CSV injection attack that can be used to execute arbitrary code. The code will open the Windows calculator when the file is opened.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.