Javascript Unsafe Csv Injection Fast Csv
Description
This detector identifies CSV injection vulnerabilities in JavaScript applications using the fast-csv library. CSV injection occurs when untrusted user input is written to CSV files without proper sanitization, allowing attackers to inject formulas or commands that execute when the CSV is opened in spreadsheet applications.
Detection Strategy
• Scans JavaScript source code for usage of the fast-csv library's write or transformation functions
• Identifies when user-controlled data flows into CSV generation without proper sanitization or escaping
• Triggers when potentially dangerous characters (like =, +, -, @) from untrusted sources are written to CSV fields
• Reports violations where input validation or output encoding is missing before CSV data serialization
Vulnerable code example
const fs = require('fs');
const express = require('express');
const fastCsv = require('fast-csv');
const app = express();
app.use(express.json());
app.get('/csv', (req, res) => {...✅ Secure code example
const fs = require('fs');
const express = require('express');
const fastCsv = require('fast-csv');
const app = express();
app.use(express.json());
function sanitizeCSV(value) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.