CVE-2021-32012
Denial of Service vulnerability in xlsx
What is CVE-2021-32012 About?
This vulnerability allows attackers to cause a denial of service due to excessive memory consumption in SheetJS Pro. A crafted .xlsx document, when processed by xlsx.js, leads to the exhaustion of available memory resources. Exploitation is relatively easy, requiring the delivery and processing of a malicious file.
Affected Software
- xlsx
- <0.17.0
- org.webjars.npm:xlsx
- <0.17.0
Technical Details
The vulnerability, designated as issue 1 of 2, exists in SheetJS Pro through version 0.16.9 and specifically impacts its xlsx.js component. An attacker can create a specially crafted .xlsx document that, when read and parsed by the vulnerable library, triggers an uncontrolled allocation or consumption of memory. This malicious document is designed to exploit inefficiencies or flaws in how xlsx.js handles certain data structures or elements within the spreadsheet format, leading to a rapid and substantial increase in memory usage. This excessive memory consumption ultimately exhausts the system's resources, resulting in a denial of service condition for the application or system processing the file.
What is the Impact of CVE-2021-32012?
Successful exploitation may allow attackers to disrupt service availability, cause applications to crash due to out-of-memory errors, and potentially affect the stability of the underlying system, leading to operational downtime or data loss.
What is the Exploitability of CVE-2021-32012?
Exploitation of this denial of service vulnerability is of low to moderate complexity. It requires an attacker to construct and deliver a specially crafted .xlsx file to a victim. The file must then be processed by an application utilizing SheetJS Pro. There are no explicit authentication or privilege requirements, as the vulnerability can be triggered by merely processing the malicious file. The attack vector can be remote if the malformed file is received through common channels (e.g., email, web upload) and subsequently processed. Key prerequisites include the ability to deliver the malicious file and for the target application to accept and parse untrusted .xlsx documents. The risk is increased in environments that regularly handle external spreadsheet files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32012?
Available Upgrade Options
- org.webjars.npm:xlsx
- <0.17.0 → Upgrade to 0.17.0
- xlsx
- <0.17.0 → Upgrade to 0.17.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://sheetjs.com/pro
- https://nvd.nist.gov/vuln/detail/CVE-2021-32012
- https://www.npmjs.com/package/xlsx/v/0.17.0
- https://sheetjs.com/pro
- https://www.npmjs.com/package/xlsx/v/0.17.0
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/
- https://osv.dev/vulnerability/GHSA-3x9f-74h4-2fqr
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely
What are Similar Vulnerabilities to CVE-2021-32012?
Similar Vulnerabilities: CVE-2021-32014 , CVE-2021-29482 , CVE-2021-32723 , CVE-2021-32640 , CVE-2021-29469
