sheetjs/sheetjs
76
Fork 65
Code Issues 211 Pull Requests 14 Wiki Activity

Security Vulnerability in "https://cdn.sheetjs.com/xlsx-0.20.0/xlsx-0.20.0.tgz" version #3121

New Issue
Closed
opened 2024-05-03 12:06:22 +00:00 by Swetha · 2 comments
Swetha commented 2024-05-03 12:06:22 +00:00
Copy Link

We are currently in 0.20.0 version from "https://cdn.sheetjs.com/xlsx-0.20.0/xlsx-0.20.0.tgz". This version is currently giving the below security vulnerability from BDH tool.

SheetJS is vulnerable to a regular expression denial-of-service (ReDoS) issue due to the use of a flawed regular expression to parse XML comments.

An attacker could submit a crafted document containing maliciously formatted XML comments that when parsed can trigger excessive consumption of resources that result in a denial-of-service (DoS) condition.

Is this vulnerability fixed in the recent versions? If yes, which version to use?

Thanks in advance.

We are currently in 0.20.0 version from "https://cdn.sheetjs.com/xlsx-0.20.0/xlsx-0.20.0.tgz". This version is currently giving the below security vulnerability from BDH tool. SheetJS is vulnerable to a regular expression denial-of-service (ReDoS) issue due to the use of a flawed regular expression to parse XML comments. An attacker could submit a crafted document containing maliciously formatted XML comments that when parsed can trigger excessive consumption of resources that result in a denial-of-service (DoS) condition. Is this vulnerability fixed in the recent versions? If yes, which version to use? Thanks in advance.
jsg994 commented 2024-05-03 15:27:56 +00:00
Copy Link

Getting the same error using snyk scan...https://security.snyk.io/vuln/SNYK-JS-XLSX-6252523. Currently using v0.20.1

Getting the same error using snyk scan...https://security.snyk.io/vuln/SNYK-JS-XLSX-6252523. Currently using v0.20.1
sheetjs commented 2024-05-03 16:04:28 +00:00
Owner
Copy Link

As noted in the official advisory and in the NIST report, this was resolved in version 0.20.2.

You should be able to upgrade with the tarball https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz .

If you are seeing issues with the updated release, please reach out to support for the respective security tool and direct them to the official advisory and NIST report.

As noted in the [official advisory](https://cdn.sheetjs.com/advisories/CVE-2024-22363) and in the [NIST report](https://nvd.nist.gov/vuln/detail/CVE-2024-22363), this was resolved in version 0.20.2. You should be able to upgrade with the tarball https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz . If you are seeing issues with the updated release, please reach out to support for the respective security tool and direct them to the official advisory and NIST report.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
DBF

   
Dates

   
Defined Names

   
Features

   
Formula

   
HTML

   
Images

   
Infrastructure

   
Integration

   
International

   
ODS

   
Operations

   
Performance

   
PivotTables

   
Pro

   
Protection

   
Read Bug

   
SSF

   
SYLK

   
Style

   
Write Bug

   
good first issue
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#3121
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?