Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@nlpjs/xtables depends on vulnerable version of xlsx #1321

Open
ahitrov opened this issue Jun 6, 2023 · 3 comments
Open

@nlpjs/xtables depends on vulnerable version of xlsx #1321

ahitrov opened this issue Jun 6, 2023 · 3 comments

Comments

@ahitrov
Copy link

ahitrov commented Jun 6, 2023

[Security] Prototype Pollution in sheetJS

GHSA-4r6h-8v6p-xvw6

Affected version: 0.19.3

Description
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

References
https://nvd.nist.gov/vuln/detail/CVE-2023-30533
https://cdn.sheetjs.com/advisories/CVE-2023-30533
https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md
@Mitko-Kerezov
Copy link

This is currently heavily affecting us also as npm audit does not pass and it is marked as a high severity security issue.

Could we get an update on this?

@kibertoad
Copy link

@ericzon Can we help with this?

@kibertoad
Copy link

@ericzon We've created an npm version for a newer version of XLSX (which is distributed with Apache 2 license over CDN): https://www.npmjs.com/package/@lokalise/xlsx

It should resolve the security issue in question.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kibertoad @Mitko-Kerezov @ahitrov