9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62417

GHSA ID

GHSA-jqrp-58fv-w8cq

EPSS Score

CWE

CWE-1236

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62417

CVE-2025-62417: bagisto has CSV Formula Injection in Create New Product

Summary

When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros).

Details

Spreadsheet applications treat cell text that begins with characters =, +, -, @ as formulas. If unescaped, spreadsheet will interpret and evaluate the content when the file is opened. The application fails to neutralize/escape leading formula characters when generating CSV or when accepting CSV import fields for display/export.

PoC

Insert CSV formula to the product name field, and save the changes. Export it to CSV file, open it and the calc.exe will be executed. Other CSV export functions are affected as well. http://127.0.0.1/admin/catalog/products/edit/1 <img width="408" height="302" alt="image" src="https://github.com/user-attachments/assets/2c6fd1e3-6725-4bf4-9c64-20cd57f4e279" /> <img width="1696" height="854" alt="image" src="https://github.com/user-attachments/assets/911a69ae-65ac-4a8a-ad8e-63571a9610c8" />

Impact

Data exfiltration: Using spreadsheet functions (e.g., WEBSERVICE, HYPERLINK, or concatenation to create requests) on victims' machines that make network calls. Remote command execution: In some historical cases, specially crafted formulas and older Excel behaviors can lead to RCE. Modern Excel hardens many of these, but risk remains depending on environment.

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62417

GHSA ID

GHSA-jqrp-58fv-w8cq

EPSS Score

CWE

CWE-1236

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bagisto/bagisto	composer	<= 2.3.7	2.3.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic case of CSV Formula Injection (CWE-1236), where the application fails to sanitize user-provided input before including it in a CSV export. The root cause is the lack of input validation and sanitization on product attributes, specifically those that use a rich text editor (TinyMCE).

The analysis of the patch commit 8076c708498a0187bc952d5f5f705e0cb1919682 reveals the vulnerable code path and the fix. The vulnerability is triggered when a user with privileges to edit products injects a string starting with a formula character (e.g., =) into a product field. The Webkul\Admin\Http\Controllers\Catalog\ProductController::update function was identified as the vulnerable function because, prior to the patch, it would take this raw, unsanitized input via request()->all() and save it to the database.

The patch addresses this by introducing several changes:

A new dependency, stevebauman/purify, is added for HTML sanitization.
A new helper function, clean_content(), is created in packages/Webkul/Core/src/Http/helpers.php. This function uses the new library to clean the content and also removes potentially harmful template syntax.
The packages/Webkul/Admin/src/Http/Requests/ProductForm.php form request is modified to use a new passedValidation() method. This method is automatically called after validation passes and it sanitizes the input for any TinyMCE-enabled fields by applying the clean_content() function.
Finally, the ProductController::update method is changed to use the data from the ProductForm request object ($request->all()) instead of the global raw request (request()->all()). This ensures that the controller receives the sanitized data.

Therefore, any runtime profile during the exploitation of this vulnerability on an unpatched system would show the Webkul\Admin\Http\Controllers\Catalog\ProductController::update method processing the malicious input. While the vulnerability manifests upon CSV export, the fix was applied at the point of data entry to prevent malicious data from being stored in the first place.

Vulnerable functions

Webkul\Admin\Http\Controllers\Catalog\ProductController::update

packages/Webkul/Admin/src/Http/Controllers/Catalog/ProductController.php

This function is responsible for updating product information. Before the patch, it used `request()->all()` to get all input data from the HTTP request and passed it directly to the `productRepository` to be saved in the database. This input was not sanitized for characters that could be interpreted as formulas by spreadsheet software. An attacker could submit a malicious formula in a product field (e.g., description), which would be stored. When the product data is later exported to a CSV file, the formula would be executed by the victim's spreadsheet application. The patch changes `request()->all()` to `$request->all()`, where `$request` is an instance of `ProductForm`. This form request class was modified to include a `passedValidation` method that sanitizes the input data before it is used by the controller, thus preventing the malicious data from being stored.

WAF Protection Rules

WAF Rule

### Summ*ry W**n pro*u*t **t* t**t ***ins wit* * spr***s***t *ormul* ***r**t*r (*or *x*mpl* =, +, -, or @) is ****pt** *n* l*t*r *xport** or s*v** into * *SV *n* op*n** in spr***s***t so*tw*r*, t** spr***s***t will int*rpr*t t**t **ll *s * *ormul*. T

Reasoning

T** vuln*r**ility is * *l*ssi* **s* o* *SV *ormul* Inj**tion (*W*-****), w**r* t** *ppli**tion **ils to s*nitiz* us*r-provi*** input ***or* in*lu*in* it in * *SV *xport. T** root **us* is t** l**k o* input v*li**tion *n* s*nitiz*tion on pro*u*t *ttri

9.1

Basic Information

Concerned about an active attack path?

CVE-2025-62417: bagisto has CSV Formula Injection in Create New Product

Summary

Details

PoC

Impact

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI