Vulnerabilities in the popular Node.js library json-2-csv allow a malicious actor to insert spreadsheet formulas into generated CSV content. When the preventCsvInjection option is bypassed, attackers can embed strings that begin with characters such as ‘=’, ‘+’, ‘-’, or a tab, causing spreadsheet applications to interpret them as executable formulas. The injection can trigger arbitrary function calls or data extraction when the CSV file is opened, compromising the confidentiality of the data presented to the user. This weakness is classified under CWE-1236, denoting security weakness in interface validation.

Any project that uses the json-2-csv NPM package with version identifiers from 3.15.0 up to and including 5.5.11 is affected. This includes any application, script, or service that relies on this library to export data to CSV. Projects that have upgraded beyond 5.5.11 are out of scope.

The CVSS score of 7.0 labels this vulnerability as high severity. No EPSS score is currently available, and the issue is not cited in the CISA KEV catalog, indicating it is not a known mass‑exploited flaw at this time. Exploitation requires that an adversary can influence the data fed to json-2-csv, otherwise the flag remains unchanged. The main threat surface exists when an end‑user opens the produced CSV in a spreadsheet program that evaluates formulas. Appropriate controls on data provenance and strict input sanitization can mitigate the risk; otherwise a lateral or privilege‑escalation vector may be possible if the CSV is handled within a trusted environment.