CVE-2023-30533 – xlsx

Package

Manager: npm
Name: xlsx
Vulnerable Version: >=0 <0.19.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03903 pctl0.87827

Details

Prototype Pollution in sheetJS All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected. A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.

Metadata

Created: 2023-04-24T09:30:19Z
Modified: 2023-05-23T13:29:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-4r6h-8v6p-xvw6/GHSA-4r6h-8v6p-xvw6.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-4r6h-8v6p-xvw6
Finding: F390
Auto approve: 1