CVE-2025-55745
Published: 22 August 2025
Summary
CVE-2025-55745 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Webkul Unopim. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents CSV injection by filtering malicious formulas and commands from data prior to export in spreadsheet-compatible formats.
Requires timely remediation of the specific CSV injection flaw through software updates, as recommended in the UnoPim advisory to version 0.3.1.
Validates and sanitizes user-supplied inputs that could contain malicious payloads before they are processed and exported via the Quick Export feature.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables server-side injection via public app (T1190) to embed malicious formulas in exported CSV, directly facilitating client-side execution via malicious file (T1204.002) leading to RCE.
NVD Description
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious…
more
content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim's device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later.
Deeper analysisAI
UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, contains a CSV injection vulnerability, also known as formula injection, in its Quick Export feature. This affects versions 0.3.0 and prior. The flaw allows attackers to inject malicious content into exported CSV files, which spreadsheet applications like Microsoft Excel may interpret as formulas or commands upon opening.
Unauthenticated attackers (PR:N) with network access can exploit this vulnerability by crafting malicious payloads that get embedded in the CSV exports. Victims who download and open these files in compatible spreadsheet software, and interact with potentially dangerous content (UI:R), risk arbitrary code execution on their local device. Successful exploitation enables remote code execution, such as establishing a reverse shell, with high confidentiality, integrity, and availability impacts (CVSS 8.8).
The UnoPim security advisory and associated GitHub commit recommend upgrading to version 0.3.1 or later as the primary mitigation. The patch addresses the injection issue in the Quick Export functionality, preventing malicious formula execution in exported files.
Details
- CWE(s)