sheetjs icon indicating copy to clipboard operation
sheetjs copied to clipboard

Published 20 hours ago verified publisher icon SheetJS

Vulnerabilities

Open Templore opened this issue 8 months ago • 6 comments

https://www.npmjs.com/package/xlsx

latest version 0.18.5 have two vulnerabilities

Image

Templore avatar Mar 02 '25 02:03 Templore

Hi @Templore,

Thank you for highlighting the security vulnerabilities in xlsx version 0.18.5. You're correct that this version has two significant vulnerabilities:

  • CVE-2023-30533 (Score 7.5): Prototype Pollution via a crafted file
  • CVE-2023-22365 (Score 7.5): Regular Expression Denial of Service (ReDoS)

These security issues have been addressed in newer versions. The recommended solution is to use SheetJS directly from their CDN with version 0.20.3:

yarn remove xlsx
yarn add xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz

For newer Yarn versions that require explicit package naming, use the xlsx@ prefix as shown above.

Note that if you're using Snyk security tooling, you might still see warnings about "Prototype Pollution" (SNYK-JS-XLSX-5457926), but according to SheetJS, these are false positives for versions 0.19.3 and later. Their official recommendation is to suppress these warnings.

Thanks for bringing attention to these security issues.

This information is also documented in the official SheetJS documentation: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/

Since there's a clear solution available and the maintainers are aware of these issues, I believe this ticket can be closed. 👍

JuanTorchia avatar Mar 04 '25 04:03 JuanTorchia

If you don't want to give up the convenience of NPM, you can use these packages instead of xlsx, they are republished versions of the original package.

@e965/xlsx (https://github.com/SheetJS/sheetjs/issues/2822#issuecomment-1668303942) xlsx-republish (https://github.com/SheetJS/sheetjs/issues/2667#issuecomment-2354334791)

If you don't want to edit imports throughout the code, you can do it this way (for example):

- "xlsx": "0.18.5",
+ "xlsx": "npm:@e965/[email protected]",

e965 avatar Mar 18 '25 13:03 e965

works fine

federicowoodward avatar Mar 21 '25 13:03 federicowoodward

Hi, @JuanTorchia, my team upgraded to the latest version ("xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz",), but Snyk still flagged it. This was tested using the Snyk CLI. Is this expected, an error, false positive?

✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-XLSX-6252523] in [email protected] introduced by [email protected] No upgrade or patch available

cpena-flexion avatar Mar 21 '25 18:03 cpena-flexion

Hi @Templore,

Thank you for highlighting the security vulnerabilities in xlsx version 0.18.5. You're correct that this version has two significant vulnerabilities:

  • CVE-2023-30533 (Score 7.5): Prototype Pollution via a crafted file
  • CVE-2023-22365 (Score 7.5): Regular Expression Denial of Service (ReDoS)

These security issues have been addressed in newer versions. The recommended solution is to use SheetJS directly from their CDN with version 0.20.3:

yarn remove xlsx
yarn add xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz

For newer Yarn versions that require explicit package naming, use the xlsx@ prefix as shown above.

Note that if you're using Snyk security tooling, you might still see warnings about "Prototype Pollution" (SNYK-JS-XLSX-5457926), but according to SheetJS, these are false positives for versions 0.19.3 and later. Their official recommendation is to suppress these warnings.

Thanks for bringing attention to these security issues.

This information is also documented in the official SheetJS documentation: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/

Since there's a clear solution available and the maintainers are aware of these issues, I believe this ticket can be closed. 👍

Hi, @JuanTorchia, I tried this way, but the Snyk test still flagged it.

GisaKaze avatar Apr 29 '25 07:04 GisaKaze

I upgraded to 0.20.3 and still getting the security issue in snyk - SNYK-JS-XLSX-6252523 Image

rotem1850 avatar May 08 '25 13:05 rotem1850

If you don't want to give up the convenience of NPM, you can use these packages instead of xlsx, they are republished versions of the original package.

@e965/xlsx (#2822 (comment)) xlsx-republish (#2667 (comment))

If you don't want to edit imports throughout the code, you can do it this way (for example):

  • "xlsx": "0.18.5",

Works fine for me, thx..

beenh2we avatar Jun 19 '25 09:06 beenh2we

Hi, @JuanTorchia, my team upgraded to the latest version ("xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz",), but Snyk still flagged it. This was tested using the Snyk CLI. Is this expected, an error, false positive?

✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-XLSX-6252523] in [email protected] introduced by [email protected] No upgrade or patch available

➕ 1 Same here - I have not found any direct information that suggests suppressing this one, but only for prototype pollution. Not sure if this is just another false positive, but it appears that way. Even SNYK says it's fixed in 0.20.2, but it still complains that it is a vulnerability 🤷 .

Nothing was noted about ignoring the ReDoS SNYK-JS-XLSX-6252523 in here: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/

However, I did find this: https://git.sheetjs.com/sheetjs/sheetjs/issues/3121 and this: https://cdn.sheetjs.com/advisories/CVE-2024-22363

It clearly says to upgrade to a version that SNYK still complains about.

MrGavintech avatar Jun 26 '25 13:06 MrGavintech

is it still alive?

ihor-zinchenko avatar Jul 16 '25 08:07 ihor-zinchenko

I am genuinely curious, why isn't this fixed using a standard npm release, could someone explain it to me ?

RockyStrongo avatar Aug 01 '25 07:08 RockyStrongo

Curious why this isn't being updated in npm? It gets over 3M downloads a week, for a version that has been vulnerable for years!

Image

https://github.com/advisories/GHSA-4r6h-8v6p-xvw6

If the issue is they can't monetize it, then why don't they at least mark it as depreciated on NPM?

Ben-CA avatar Aug 04 '25 15:08 Ben-CA

@RockyStrongo @Ben-CA https://github.com/SheetJS/sheetjs/issues/2667

e965 avatar Aug 04 '25 16:08 e965

Can someone report them to NPM so they stop squatting the xlsx package name with their bullshit.

DanielSharp01 avatar Aug 06 '25 09:08 DanielSharp01

any update for synk ? "xlsx": "npm:@e965/[email protected]" still with the issue

ork-acro avatar Aug 06 '25 15:08 ork-acro

@ork-acro The vulnerability was fixed in 0.19.3. I can assume that the problem is that your vulnerability manager checks packages first by keys (package name), and only then by value (version used). The latest version of the xlsx package on npm is still 0.18.5 - accordingly, your dependency manager considers it a threat, no matter what you specify as a value.

e965 avatar Aug 06 '25 20:08 e965

Why would npm publishing have been abandoned?

fractoholic avatar Sep 11 '25 20:09 fractoholic

I am genuinely curious, why isn't this fixed using a standard npm release, could someone explain it to me ?

seems fishy, for sure.

fractoholic avatar Sep 11 '25 20:09 fractoholic

i understand the maintainer wants to self host the library but atleast give the choice of npm and cdn. also syncing the github repo with the self hosted gitea repo would be nice.

clicktodev avatar Sep 30 '25 07:09 clicktodev

If you don't want to give up the convenience of NPM, you can use these packages instead of xlsx, they are republished versions of the original package.

@e965/xlsx (#2822 (comment)) xlsx-republish (#2667 (comment))

If you don't want to edit imports throughout the code, you can do it this way (for example):

  • "xlsx": "0.18.5",

It works fine for me.

smayoorans avatar Nov 23 '25 10:11 smayoorans