We found results for “


Date: January 10, 2022


In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed.


NocoDB download as CSV functionality fails to sanitize user-controlled input before writing it to the downloaded CSV file which leads to a formula injection vulnerability.

PoC Details

Sign in to the NocoDB application and create a new table, using a lower privileged user like editor, create a new row on this table with value set to the formula injection payload shown below. Then click download as CSV which leads to the formula injection vulnerability be triggered.

PoC Code


Affected Environments

0.81.0 through 0.83.8


Update to version 0.84.0 or later

Language: VUE

Good to know:




Improper Neutralization of Formula Elements in a CSV File


Upgrade Version

Upgrade to version nocodb - 0.84.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: