Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00cjZoLTh2NnAteHZ3Ns4AAy7y
Prototype Pollution in sheetJS
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.
A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cjZoLTh2NnAteHZ3Ns4AAy7y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00075
EPSS Percentile: 0.34598
Identifiers: GHSA-4r6h-8v6p-xvw6, CVE-2023-30533
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-30533
- https://cdn.sheetjs.com/advisories/CVE-2023-30533
- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md
- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667
- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986
- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6
Affected Packages
npm:xlsx
Dependent packages: 4,752Dependent repositories: 39,551
Downloads: 8,066,882 last month
Affected Version Ranges: < 0.19.3
Fixed in: 0.19.3
All affected versions: 0.3.3, 0.3.10, 0.4.3, 0.5.0, 0.5.6, 0.5.7, 0.5.8, 0.5.17, 0.6.0, 0.6.1, 0.7.0, 0.7.12, 0.8.0, 0.8.8, 0.9.0, 0.9.2, 0.9.3, 0.9.4, 0.9.6, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.10.0, 0.10.1, 0.10.3, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15, 0.11.16, 0.11.17, 0.11.18, 0.11.19, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.16.7, 0.16.8, 0.16.9, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5
All unaffected versions: