CVE-2023-30533: Prototype Pollution in sheetJS
(updated )
All versions of SheetJS CE through 0.19.2 are vulnerable to “Prototype Pollution” when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.
A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained. Version 0.19.3 can be downloaded via https://cdn.sheetjs.com/.
References
- cdn.sheetjs.com/
- cdn.sheetjs.com/advisories/CVE-2023-30533
- git.sheetjs.com/sheetjs/sheetjs
- git.sheetjs.com/sheetjs/sheetjs/issues/2667
- git.sheetjs.com/sheetjs/sheetjs/issues/2986
- git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md
- github.com/advisories/GHSA-4r6h-8v6p-xvw6
- nvd.nist.gov/vuln/detail/CVE-2023-30533
Code Behaviors & Features
Detect and mitigate CVE-2023-30533 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →