CVE-2023-30533
Summary
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.
Categorization
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N (Score 5.3 - Medium)
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') [1]
Affected Products
All releases of SheetJS Community Edition up to version 0.19.2 are affected. This includes:
- scripts and modules on the SheetJS CDN through version 0.19.2 [2]
- modules published with the name `xlsx` on npmjs.com [3]
- scripts on third-party CDNs that pull from the `xlsx` package on npmjs.com [4] [5]
- modules published with the name `sheetjs` on deno.land [6]
Remediation
Users should upgrade to version 0.19.3 or later. Official releases are available on the SheetJS CDN [2]. SheetJS CE documentation includes installation instructions for common deployments [7].
Acknowledgements
Special thanks to Vsevolod Kokorin of SolidLab for reporting the issue to us.
Links
- https://cwe.mitre.org/data/definitions/1321.html
- https://cdn.sheetjs.com
- https://www.npmjs.com/package/xlsx
- https://cdnjs.com/libraries/xlsx/
- https://www.jsdelivr.com/package/npm/xlsx/
- https://deno.land/x/sheetjs/
- https://docs.sheetjs.com/docs/getting-started/