CVE-2023-30533 — Prototype Pollution in sheetJS

Description

All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected. A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained. Version 0.19.3 can be downloaded via https://cdn.sheetjs.com/.

How to fix CVE-2023-30533

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-30533 being exploited?

Moderate — EPSS is 8.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-30533
PATCHgit.sheetjs.com/sheetjs/sheetjs
WEBcdn.sheetjs.com
WEBcdn.sheetjs.com/advisories/CVE-2023-30533
WEBgit.sheetjs.com/sheetjs/sheetjs/issues/2667