CVE-2021-41270

MEDIUM6.5EPSS 0.87%

CSV Injection in symfony/serializer

Published: 11/24/2021Modified: 3/13/2026

Also known as:GHSA-2xhg-w2g5-w95xBIT-symfony-2021-41270

Description

Description ----------- CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with `=` is interpreted by the software as a formula and could be abused by an attacker. In Symfony 4.1, we've added the opt-in `csv_escape_formulas` option in `CsvEncoder`, to prefix all cells starting by `=`, `+`, `-` or `@` by a tab `\t`. Since then, OWASP added 2 chars in that list: - Tab (0x09) - Carriage return (0x0D) This makes our previous prefix char (Tab `\t`) part of the vulnerable characters, and [OWASP suggests](https://owasp.org/www-community/attacks/CSV_Injection) using the single quote `'` for prefixing the value. Resolution ---------- Symfony now follows the OWASP recommendations and use the single quote `'` to prefix formulas and adds the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8) for branch 4.4. Credits ------- We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue.

Affected packages (4)

Bitnami/symfony>= 4.1.0, < 4.4.35, >= 5.0.0, < 5.3.12
Debian/symfonyfrom 0, < 4.4.19+dfsg-2+deb11u1
Packagist/symfony/serializer>= 5.0.0, < 5.3.12
Packagist/symfony/symfony>= 4.1.0, < 4.4.35

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Affected packages (4)

CVSS scores

References (16)