Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. A…

CVE-2021-47901 affects Dirsearch version 0.4.1, a web directory enumeration tool. The vulnerability exists in the CSV reporting functionality (--csv-report flag) and allows for CSV injection attacks. Attackers can exploit this by crafting malicious server redirects that contain comma-separated paths with Excel formulas. When the tool generates CSV reports, these malicious formulas are injected into the output file. This can lead to formula execution when the CSV report is opened in spreadsheet applications like Excel. The vulnerability demonstrates how output formatting features in security tools can become attack vectors themselves.