CVE-2024-22363
Regular Expression Denial of Service (ReDoS) vulnerability in xlsx (npm)
What is CVE-2024-22363 About?
SheetJS Community Edition before 0.20.2 is susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability. This flaw can lead to a denial of service if specially crafted input is processed by the application. Exploitation is relatively easy for an attacker who can supply malicious input.
Affected Software
Technical Details
The Regular Expression Denial of Service (ReDoS) vulnerability in SheetJS Community Edition before 0.20.2 occurs when a poorly constructed regular expression is used in a way that, given specific malicious input strings, causes it to take an inordinate amount of time to process. This exponential or polynomial time complexity can consume significant CPU resources, leading to the application becoming unresponsive. An attacker can craft a string that exploits this behavior, and when SheetJS attempts to process it, the regular expression engine gets stuck in excessive backtracking, effectively causing a denial of service for the component or the entire application.
What is the Impact of CVE-2024-22363?
Successful exploitation may allow attackers to cause a denial-of-service condition, making the affected application or component unresponsive to legitimate users.
What is the Exploitability of CVE-2024-22363?
Exploitation of this ReDoS vulnerability is relatively straightforward for an attacker who can provide input to the SheetJS library. The complexity is low to moderate, as it primarily involves crafting a malicious string that triggers the problematic regular expression. There are no specific authentication or privilege requirements beyond the ability to submit data that will be processed by SheetJS. This is typically a remote attack vector, where an attacker sends data to a server-side application using SheetJS, or a local attack if SheetJS is used in a client-side context processing untrusted input. The risk significantly increases if the application accepts arbitrary user input that is then parsed or validated using the vulnerable regular expression within SheetJS.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-22363?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-22363
- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2
- https://git.sheetjs.com/sheetjs/sheetjs
- https://cdn.sheetjs.com/advisories/CVE-2024-22363
- https://cdn.sheetjs.com/advisories/CVE-2024-22363
- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2
- https://cwe.mitre.org/data/definitions/1333.html
- https://cwe.mitre.org/data/definitions/1333.html
- https://cdn.sheetjs.com
- https://osv.dev/vulnerability/GHSA-5pgg-2g8v-p4x9
What are Similar Vulnerabilities to CVE-2024-22363?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-46387 , CVE-2023-38031 , CVE-2023-32049 , CVE-2022-24953
