CVE-2024-22363
Summary
All versions of SheetJS CE through 0.20.1 are vulnerable to "Regular Expression Denial of Service" (ReDoS). For more details, see https://regexide.com
Categorization
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Score 7.5 - High)
CWE-1333 Inefficient Regular Expression Complexity [1]
Affected Products
All releases of SheetJS Community Edition up to version 0.20.1 are affected. This includes:
- scripts and modules on the SheetJS CDN through version 0.20.1 [2]
- modules published with the name `xlsx` on npmjs.com [3]
- scripts on third-party CDNs that pull from the `xlsx` package on npmjs.com [4] [5]
- modules published with the name `sheetjs` on deno.land [6]
Remediation
Users should upgrade to version 0.20.2 or later. Official releases are available on the SheetJS CDN [2]. SheetJS CE documentation includes installation instructions for common deployments [7].
Acknowledgements
Special thanks to Asadbek Karimov and Jardel Matias for discovering and helping to resolve the issue.
Links
- https://cwe.mitre.org/data/definitions/1333.html
- https://cdn.sheetjs.com
- https://www.npmjs.com/package/xlsx
- https://cdnjs.com/libraries/xlsx/
- https://www.jsdelivr.com/package/npm/xlsx/
- https://deno.land/x/sheetjs/
- https://docs.sheetjs.com/docs/getting-started/