CVE-2017-15879 in KeystoneJS
Summary
by MITRE
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/29/2025
The vulnerability CVE-2017-15879 represents a critical CSV injection flaw in KeystoneJS versions prior to 4.0.0-beta.7, classified under CWE-1236 as a weakness in data handling during export operations. This vulnerability specifically affects the admin server API endpoint and the CSV data retrieval functionality within the KeystoneJS framework, creating a dangerous condition where maliciously crafted input can be interpreted as executable formulas when imported into spreadsheet applications like Microsoft Excel. The flaw occurs in the download.js and getCSVData.js files where user-supplied data is directly incorporated into CSV output without proper sanitization or escaping mechanisms. When users export data containing certain characters such as equals signs, plus signs, minus signs, or at symbols at the beginning of input fields, these characters can trigger formula execution in spreadsheet applications, potentially allowing attackers to execute arbitrary commands or access sensitive data through maliciously constructed CSV files.
The operational impact of this vulnerability extends beyond simple data corruption, as it provides attackers with a sophisticated method for executing malicious code through spreadsheet applications. When an unsuspecting user opens a compromised CSV file in Excel or similar applications, the spreadsheet software interprets the injected formula characters as commands rather than data, potentially leading to remote code execution, data exfiltration, or system compromise. This attack vector aligns with ATT&CK technique T1059.005 for command and scripting interpreter execution, as the injected formulas can trigger various system commands depending on the target environment. The vulnerability is particularly dangerous in enterprise environments where users frequently download and open CSV reports from administrative systems, creating a high-impact attack surface that could be exploited to gain unauthorized access to sensitive information or establish persistent access to compromised systems.
Mitigation strategies for CVE-2017-15879 require immediate patching of KeystoneJS installations to version 4.0.0-beta.7 or later, which implements proper input sanitization and CSV escaping mechanisms. Organizations should also implement defensive measures such as disabling automatic formula execution in spreadsheet applications, implementing strict file validation policies for CSV exports, and educating users about the risks of opening untrusted CSV files. The remediation approach should follow security best practices outlined in OWASP Top 10 2021 category A03: Injection, specifically addressing formula injection vulnerabilities. Additionally, implementing proper input validation and output encoding in all CSV export functionalities, including prefixing potentially dangerous characters with single quotes or implementing proper CSV escaping protocols, will prevent similar vulnerabilities from reoccurring in other applications. Network segmentation and access controls should be strengthened to limit exposure of vulnerable systems, and regular security audits should be conducted to identify other potential injection points within the application architecture.