.csv

Insights · 6 min read

CSV injection and formula hijacking: what viewers should avoid executing

Cells beginning with =, +, -, @ can trigger spreadsheet formulas, awareness for security teams and CSV tooling.

Published March 21, 2025 · Table

When CSV opens in Excel or Sheets, a cell like =cmd|... can be interpreted as a formula. Pure viewers that do not execute formulas reduce that class of risk compared to full spreadsheet apps.

Defenses

  • Strip or prefix risky leading characters in untrusted feeds.
  • Open unknown files in a sandboxed viewer first.
  • Train finance users on "enable content" prompts.

← All articles