RSEC-2023-0

The readxl R package, versions 0.1.0 to 1.0.0, is vulnerable to multiple attack vectors due to the underlying use of the libxls library. Several exploitable vulnerabilities have been identified in different functions of libxls versions 1.3.4 and 1.4. These include out-of-bounds write and stack based buffer overflow vulnerabilities in the xlsmergedCells and xlsgetfcell functions respectively. Furthermore, integer overflow vulnerabilities exist in the xlspreparseWorkSheet and xlsappendSST functions when handling MULBLANK, MULRK records and a shared string table (SST). An additional out-of-bounds vulnerability has been identified in the xls_addCell function when it processes a formula record. All these vulnerabilities can lead to memory corruption, potentially resulting in remote code execution. The exploit is triggered when a specially crafted XLS file, possibly sent by an attacker, is processed by these vulnerable functions.