Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities #2831

Open
Templore opened this issue Mar 2, 2025 · 4 comments
Open

Vulnerabilities #2831

Templore opened this issue Mar 2, 2025 · 4 comments

Comments

@Templore
Copy link

Templore commented Mar 2, 2025

https://www.npmjs.com/package/xlsx

latest version 0.18.5 have two vulnerabilities

Image
@JuanTorchia
Copy link

JuanTorchia commented Mar 4, 2025
edited
Loading

Hi @Templore,

Thank you for highlighting the security vulnerabilities in xlsx version 0.18.5. You're correct that this version has two significant vulnerabilities:

  • CVE-2023-30533 (Score 7.5): Prototype Pollution via a crafted file
  • CVE-2023-22365 (Score 7.5): Regular Expression Denial of Service (ReDoS)

These security issues have been addressed in newer versions. The recommended solution is to use SheetJS directly from their CDN with version 0.20.3:

yarn remove xlsx
yarn add xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz

For newer Yarn versions that require explicit package naming, use the xlsx@ prefix as shown above.

Note that if you're using Snyk security tooling, you might still see warnings about "Prototype Pollution" (SNYK-JS-XLSX-5457926), but according to SheetJS, these are false positives for versions 0.19.3 and later. Their official recommendation is to suppress these warnings.

Thanks for bringing attention to these security issues.

This information is also documented in the official SheetJS documentation: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/

Since there's a clear solution available and the maintainers are aware of these issues, I believe this ticket can be closed. 👍

@e965
Copy link

e965 commented Mar 18, 2025
edited
Loading

If you don't want to give up the convenience of NPM, you can use these packages instead of xlsx, they are republished versions of the original package.

@e965/xlsx (#2822 (comment))
xlsx-republish (#2667 (comment))

If you don't want to edit imports throughout the code, you can do it this way (for example):

- "xlsx": "0.18.5",
+ "xlsx": "npm:@e965/[email protected]",

@federicowoodward
Copy link

works fine

@cpena-flexion
Copy link

Hi, @JuanTorchia, my team upgraded to the latest version ("xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz",), but Snyk still flagged it. This was tested using the Snyk CLI. Is this expected, an error, false positive?

✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-XLSX-6252523] in [email protected] introduced by [email protected] No upgrade or patch available

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Templore @e965 @JuanTorchia @federicowoodward @cpena-flexion