CVE-2021-32014
Denial of Service vulnerability in xlsx
What is CVE-2021-32014 About?
This is a Denial of Service (DoS) vulnerability in SheetJS Pro versions through 0.16.9, specifically affecting `xlsx.js`. An attacker can cause high CPU consumption and a DoS by providing a crafted `.xlsx` document. Exploitation is achieved by supplying a malformed file to the vulnerable software.
Affected Software
- xlsx
- <0.17.0
- org.webjars.npm:xlsx
- <0.17.0
Technical Details
SheetJS Pro versions up to and including 0.16.9 are vulnerable to a denial of service attack. The vulnerability resides in the `xlsx.js` component, which is responsible for parsing `.xlsx` documents. An attacker can craft a malformed `.xlsx` document that, when processed by `xlsx.js`, triggers an inefficient parsing routine or an algorithmic complexity vulnerability. This crafted document causes the software to enter into an excessive or infinite loop, or to perform computationally expensive operations for an unusually long time. This leads to high CPU utilization, memory exhaustion, and ultimately an unresponsive state, resulting in a denial of service for any application or service that uses the vulnerable SheetJS library to read the malicious `.xlsx` file.
What is the Impact of CVE-2021-32014?
Successful exploitation may allow attackers to disrupt services, make systems unresponsive, or cause resource exhaustion, leading to operational downtime and degraded performance.
What is the Exploitability of CVE-2021-32014?
Exploitation of this vulnerability is of low to medium complexity, requiring the attacker to craft a specific malformed `.xlsx` file. No specific authentication or privilege is typically required beyond the ability to provide an `.xlsx` file to the application. This can be a remote vulnerability if the application accepts and processes `.xlsx` file uploads from untrusted sources. Special conditions include the application using the vulnerable `xlsx.js` component to read user-supplied files. The primary risk factor is the application's reliance on the vulnerable library for processing untrusted spreadsheet documents without robust input validation and parsing safeguards.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32014?
Available Upgrade Options
- xlsx
- <0.17.0 → Upgrade to 0.17.0
- org.webjars.npm:xlsx
- <0.17.0 → Upgrade to 0.17.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/package/xlsx/v/0.17.0
- https://osv.dev/vulnerability/GHSA-g973-978j-2c3p
- https://www.npmjs.com/package/xlsx/v/0.17.0
- https://sheetjs.com/pro
- https://sheetjs.com/pro
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-32014
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely
- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/
What are Similar Vulnerabilities to CVE-2021-32014?
Similar Vulnerabilities: CVE-2023-45815 , CVE-2023-45811 , CVE-2023-38048 , CVE-2023-35073 , CVE-2023-33923
