CVE-2025-67851 is a security vulnerability identified in Moodle versions 4.1.0, 4.4.0, 4.5.0, 5.0.0, and 5.1.0, involving improper neutralization of formula elements in CSV exports. The flaw occurs because Moodle fails to properly escape or sanitize data fields when exporting user-supplied content into CSV files. Attackers can inject malicious spreadsheet formulas (e.g., starting with '=', '+', '-', or '@') into data fields. When an administrator or user exports this data and opens the CSV in spreadsheet software like Microsoft Excel or LibreOffice Calc, these formulas execute automatically. This can lead to unauthorized actions such as data exfiltration, modification, or triggering of malicious macros or commands within the spreadsheet environment. The vulnerability requires the attacker to have low privileges to insert malicious data and requires the victim to perform the export and open the file, thus involving user interaction. The CVSS vector indicates local attack vector, low attack complexity, low privileges required, user interaction required, unchanged scope, low confidentiality impact, high integrity impact, and low availability impact. No public exploits are known yet, but the risk is significant given the widespread use of Moodle in educational institutions worldwide and the common practice of exporting data for analysis or reporting.

The primary impact of CVE-2025-67851 is on data integrity and confidentiality within organizations using affected Moodle versions. Attackers can manipulate exported CSV files to execute arbitrary formulas, potentially leading to unauthorized data modification, leakage of sensitive information, or execution of malicious commands within spreadsheet applications. This can undermine trust in exported reports and data analytics, disrupt administrative workflows, and expose organizations to further attacks such as phishing or malware delivery via crafted spreadsheets. Educational institutions, which heavily rely on Moodle for course management and data exports, may face reputational damage and operational disruptions. Although availability impact is low, the integrity and confidentiality risks can cascade into broader security incidents if exploited in targeted attacks.

To mitigate CVE-2025-67851, organizations should first apply any official patches or updates released by Moodle addressing this vulnerability. In the absence of patches, administrators should implement strict input validation and sanitization on all user-supplied data fields that may be exported. Specifically, ensure that any data exported to CSV files is properly escaped or prefixed (e.g., with a single quote) to neutralize formula injection attempts. Educate users and administrators to be cautious when opening CSV files from untrusted sources and consider disabling automatic formula execution in spreadsheet applications where possible. Additionally, restrict export permissions to trusted users only and monitor exported data for suspicious content. Employ security awareness training to highlight risks associated with opening untrusted spreadsheet files. Finally, consider using alternative export formats that do not support formula execution or employ tools that sanitize CSV content before export.