CVE-2025-55745: 
PHP vulnerability analysis and mitigation

UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, was found to contain a CSV injection vulnerability (CVE-2025-55745) in versions 0.3.0 and prior. The vulnerability was discovered on August 22, 2025, affecting the Quick Export feature of the application. This security flaw allows attackers to inject malicious content into exported CSV files (NVD, GitHub Advisory).

The vulnerability is classified as a CSV/Formula injection vulnerability (CWE-1236). When malicious content is inserted into a CSV file and opened in spreadsheet applications like Microsoft Excel, the injected content may be interpreted as formulas or commands rather than plain text. The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity but requiring user interaction (NVD).

Successful exploitation of this vulnerability can lead to remote code execution on the victim's device. When a user opens an infected CSV file in a spreadsheet application, the malicious formulas can execute arbitrary commands, including establishing a reverse shell connection to an attacker's machine. This allows attackers to perform unauthorized actions on the victim's device with the privileges of the user opening the file (GitHub Advisory).

Users are advised to upgrade to UnoPim version 0.3.1 or later, which contains the fix for this vulnerability. The patch implements proper escaping of formula operators when exporting to CSV/XLSX files. For systems that cannot be immediately updated, it is recommended to avoid starting values with equals sign (=), plus sign (+), minus sign (-), at symbol (@), tab (0x09), or carriage return (0x0D). Values should be wrapped in double quotes to ensure they are treated as strings rather than formulas (GitHub Patch).