CVE-2023-30533
Prototype Pollution vulnerability in xlsx (npm)
What is CVE-2023-30533 About?
SheetJS CE versions up to 0.19.2 are vulnerable to Prototype Pollution when processing specially crafted files. This allows an attacker to inject arbitrary properties into JavaScript object prototypes, which can lead to various runtime issues or potentially remote code execution. Exploitation requires the processing of a malicious file, making it dependent on specific application workflows.
Affected Software
Technical Details
This vulnerability affects all versions of SheetJS CE through 0.19.2 and manifests as a Prototype Pollution issue. When the library reads specially crafted files (e.g., spreadsheet formats), an attacker can inject properties into the Object.prototype. This means that properties added by the attacker become available on all JavaScript objects, potentially disrupting application logic, bypassing security checks, or even enabling remote code execution if sensitive methods are overridden or new properties are introduced into critical objects which are later used by the application. The attack vector specifically involves crafting file formats that, when parsed by SheetJS, trigger the prototype pollution.
What is the Impact of CVE-2023-30533?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to denial of service, data tampering, or potentially remote code execution depending on how the modified prototypes are subsequently used by the application.
What is the Exploitability of CVE-2023-30533?
Exploitation of this Prototype Pollution vulnerability requires the application to process a specially crafted file from an untrusted source. The complexity is moderate, as it involves understanding how SheetJS parses files and identifying suitable injection points. No specific authentication or privilege requirements are noted, meaning if a user can upload or provide a file for processing, the vulnerability could be triggered. This is typically a remote attack if file submission is done over a network, but could be local if it involves direct file manipulation on a system. The exploitability is high if the affected SheetJS library is used in workflows that routinely process arbitrary files from external and untrusted origins, making it a critical risk factor.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| BenEdridge | Link | There were no proper POCs for CVE-2023-30533 so I made one. (Reported by Vsevolod Kokorin) |
What are the Available Fixes for CVE-2023-30533?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md
- https://cdn.sheetjs.com/advisories/CVE-2023-30533
- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667
- https://git.sheetjs.com/sheetjs/sheetjs
- https://nvd.nist.gov/vuln/detail/CVE-2023-30533
- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986
- https://cdn.sheetjs.com
- https://osv.dev/vulnerability/GHSA-4r6h-8v6p-xvw6
- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986
- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md
What are Similar Vulnerabilities to CVE-2023-30533?
Similar Vulnerabilities: CVE-2021-23386 , CVE-2020-28280 , CVE-2020-7667 , CVE-2019-11358 , CVE-2021-3807
