CVE-2021-32013
Denial of Service vulnerability in xlsx (npm)
What is CVE-2021-32013 About?
This vulnerability in SheetJS Pro allows attackers to trigger a denial of service by providing a specially crafted .xlsx document. When the document is processed by xlsx.js, it leads to excessive memory consumption. Exploiting this simply requires providing a malicious file to the vulnerable software.
Affected Software
- xlsx
- <0.17.0
- org.webjars.npm:xlsx
- <0.17.0
Technical Details
The vulnerability in SheetJS Pro through 0.16.9 (specifically issue 2 of 2) is a Denial of Service via excessive memory consumption. An attacker crafts a malicious .xlsx document designed to exploit inefficient parsing or storage mechanisms within the xlsx.js component. Upon processing this crafted file, the software attempts to allocate or manipulate an inordinate amount of memory, quickly exhausting available system resources. This leads to the application crashing, becoming unresponsive, or otherwise ceasing to function as intended, effectively causing a denial of service for legitimate users.
What is the Impact of CVE-2021-32013?
Successful exploitation may allow attackers to cause a denial of service, rendering the application or system unavailable to legitimate users.
What is the Exploitability of CVE-2021-32013?
Exploitation is relatively low complexity, as it only requires an attacker to provide a specially crafted .xlsx document to a user or system processing such files with SheetJS Pro. No authentication is required for the attacker; the vulnerability is triggered by the parsing of the malicious document. This is typically a remote attack in scenarios where the application processes user-supplied files. The main prerequisite is that the user or an automated system processes the untrusted .xlsx file. The likelihood of exploitation increases if the application routinely ingests untrusted or external spreadsheet files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32013?
About the Fix from Resolved Security
Available Upgrade Options
- xlsx
- <0.17.0 → Upgrade to 0.17.0
- org.webjars.npm:xlsx
- <0.17.0 → Upgrade to 0.17.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://sheetjs.com/pro
- https://nvd.nist.gov/vuln/detail/CVE-2021-32013
- https://www.npmjs.com/package/xlsx/v/0.17.0
- https://sheetjs.com/pro
- https://www.npmjs.com/package/xlsx/v/0.17.0
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://osv.dev/vulnerability/GHSA-8vcr-vxm8-293m
- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely
What are Similar Vulnerabilities to CVE-2021-32013?
Similar Vulnerabilities: CVE-2018-1000130 , CVE-2019-11357 , CVE-2020-13936 , CVE-2020-25219 , CVE-2020-28052
