Intel

CVE-2023-30533

xlsx is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Apr 24, 2023

78

High Risk

This Affects:

xlsx
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to prototype pollution when processing a specially crafted file. An attacker able to supply malicious input may inject or modify properties on JavaScript object prototypes, potentially leading to unexpected application behavior, security control bypasses, denial of service, or other impacts depending on how the application uses affected objects.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

xlsx is vulnerable to Prototype Pollution in versions < 0.19.3.

How to fix this

Because of a problem with their NPM account, new versions are no longer updated. Update using the instructions found here: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/. Or migrate to a community-maintained fork like @e965/xlsx.