VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 16, 2022· Updated Apr 23, 2025

Improper Neutralization of Formula Elements in a CSV File in ghas-to-csv

CVE-2022-39217

Description

some-natalie/ghas-to-csv (GitHub Advanced Security to CSV) is a GitHub action which scrapes the GitHub Advanced Security API and shoves it into a CSV. In affected versions this GitHub Action creates a CSV file without sanitizing the output of the APIs. If an alert is dismissed or any other custom field contains executable code / formulas, it might be run when an endpoint opens that CSV file in a spreadsheet program. This issue has been addressed in version v1. Users are advised to use v1 or later. There are no known workarounds for this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
some-natalie/ghas-to-csvGitHub Actions
< 11

Affected products

1

Patches

1
d0b521928fa7

move from `csv` to `defusedcsv` (#20)

https://github.com/some-natalie/ghas-to-csvNatalie SomersallSep 7, 2022via ghsa
commit
4 files changed · +4 3
  • requirements.txt+1 0 modified
    @@ -1 +1,2 @@
+defusedcsv==2.0.0
 requests==2.28.1
  • src/code_scanning.py+1 1 modified
    @@ -1,7 +1,7 @@
 # This holds all the things that do stuff for code scanning API
 
 # Imports
-import csv
+from defusedcsv import csv
 import requests
  • src/enterprise.py+1 1 modified
    @@ -1,7 +1,7 @@
 # This holds all the logic for the various enterprise differences.
 
 # Imports
-import csv
+from defusedcsv import csv
 from time import sleep
 import requests
  • src/secret_scanning.py+1 1 modified
    @@ -1,7 +1,7 @@
 # This holds all the things that do stuff for secret scanning API
 
 # Imports
-import csv
+from defusedcsv import csv
 import requests

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.