CVE-2021-41270: 
PHP vulnerability analysis and mitigation

Symfony/Serializer, a component that handles serializing and deserializing data structures for the Symfony PHP framework, was found to be vulnerable to CSV injection (also known as formula injection) in versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12. The vulnerability was assigned CVE-2021-41270 and was disclosed on November 24, 2021 (GitHub Advisory).

The vulnerability existed in the CsvEncoder component where cells starting with specific characters (=, +, -, @) were being prefixed with a tab character (\t) to prevent formula injection. However, OWASP later identified that tab (0x09) and carriage return (0x0D) characters should also be considered vulnerable, making the previous mitigation strategy ineffective since the tab character itself became part of the vulnerable character set (GitHub Advisory, Symfony Commit).

When a spreadsheet program opens a CSV file containing cells that start with specific characters (=, +, -, @, \t, \r), these cells could be interpreted as formulas, potentially leading to formula injection attacks. This could allow attackers to execute arbitrary formulas when the CSV file is opened in spreadsheet applications (GitHub Advisory).

The issue was fixed in versions 4.4.35 and 5.3.12 by following OWASP recommendations to use a single quote (') character instead of a tab character to prefix formulas. The fix also extends the list of characters that trigger the prefix to include \t, \r as well as =, +, -, and @ (GitHub Advisory, Symfony Release).