Spree - CSV Formula Injection in Customer Export
Published: June 04, 2026
SECURITY IDENTIFIERS
- GHSA: GHSA-xf4v-w5x5-pv79
GEM
UNAFFECTED VERSIONS
< 5.2.0
PATCHED VERSIONS
~> 5.2.8
~> 5.3.6
>= 5.4.3
DESCRIPTION
CSV formula injection (also known as formula injection or CSV injection) affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted Export in Microsoft Excel or LibreOffice Calc, formulas embedded in user data execute in the context of the administrator's desktop, potentially exfiltrating data or executing OS commands via DDE (Dynamic Data Exchange).
Impact
Vulnerability class: CSV / Formula Injection (CWE-1236)
Who is impacted
Administrators who download and open export files in spreadsheet software are the direct victims. Administrative accounts have access to all store data, payment method configurations, customer PII, and full order history.
RELATED
- https://github.com/spree/spree/releases/tag/v5.2.8
- https://github.com/spree/spree/releases/tag/v5.3.6
- https://github.com/spree/spree/releases/tag/v5.4.3
- https://dev.to/cverports/ghsa-xf4v-w5x5-pv79-ghsa-xf4v-w5x5-pv79-csv-formula-injection-in-spree-customer-export-3f4
- https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79
- https://advisories.gitlab.com/gem/spree/GHSA-xf4v-w5x5-pv79
- https://gitlab.com/gitlab-oss-package-research/source/gem/sp/spree-e60058ba/-/tree/5.4.3
- https://github.com/advisories/GHSA-xf4v-w5x5-pv79