GHSA-4r6h-8v6p-xvw6

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-4r6h-8v6p-xvw6/GHSA-4r6h-8v6p-xvw6.json

Aliases

CVE-2023-30533

Published

2023-04-24T09:30:19Z

Modified

2023-05-23T13:29:06Z

Details

All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-30533
https://cdn.sheetjs.com/advisories/CVE-2023-30533
https://git.sheetjs.com/sheetjs/sheetjs
https://git.sheetjs.com/sheetjs/sheetjs/issues/2667
https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md

GHSA-4r6h-8v6p-xvw6

Affected packages

npm / xlsx

Affected ranges

Affected versions