CVE-2025-60852: CSV Injection in Instant Developer Foundation (< 25.0.9600) – Proof of Concept (PoC)
This repository contains a Proof of Concept (PoC) for a CSV Injection (Formula Injection) vulnerability (CVE-2025-60852) affecting applications built with the Instant Developer Foundation framework (versions prior to 25.0.9600). Applications built with the vulnerable framework do not properly sanitize user-supplied input when exporting data in CSV format.
As a result, spreadsheet software such as Microsoft Excel or LibreOffice Calc interprets certain values as formulas.
- Framework: Instant Developer Foundation (framework)
- Affected Versions: < 25.0.9600
- Patch Status: Fixed in version 25.0.9600.
Observed behavior:
- Values starting with “+” or “-” are directly reflected in the exported CSV file and are interpreted as formulas when opened in spreadsheet software such as Microsoft Excel or LibreOffice Calc.
- Values starting with “=” are quoted, suggesting a partial but insufficient mitigation.
- Local command execution (via Excel DDE)
- Data exfiltration (through HYPERLINK)
- Data manipulation in spreadsheets
Insert the following payload in any user-controllable input field.
+CMD|' /C calc'!A0
When the exported CSV file is opened in Excel with DDE launch enabled, the payload triggers execution of calc.exe on Windows.
-
Insert the above payload in any user-controllable input field within a table that can be exported in CSV format (in an application built with Instant Developer Foundation < 25.0).
-
Export the table as CSV.
-
Open the exported CSV file in Microsoft Excel or LibreOffice Calc.
-
If DDE launch is enabled in Excel, the system calculator (
calc.exe) is executed.
🔗 Excel DDE launch documentation
🔗 Release Notes: Instant Developer Foundation - Version 25.0.9600
This PoC has been created strictly for educational and research purposes.
Do not use this against systems or applications without explicit authorization.
The author assumes no liability for any misuse of this material.