Skip to content

Vulnerability for dependency xlsx (upgrade sheetjs dependency to address Prototype Pollution vulnerability (CVE-2023-30533)) #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
goiaalexandru opened this issue Mar 20, 2024 · 6 comments
Open

Vulnerability for dependency xlsx (upgrade sheetjs dependency to address Prototype Pollution vulnerability (CVE-2023-30533)) #49

goiaalexandru opened this issue Mar 20, 2024 · 6 comments

Comments

@goiaalexandru
Copy link

goiaalexandru commented Mar 20, 2024
edited
Loading

Description:
The current version of the sheetjs dependency used in this package is vulnerable to a Prototype Pollution attack (CVE-2023-30533). This vulnerability can be exploited to potentially compromise the application's security.

Details:
@jesse-tong
Copy link

I found that the outdated version in npm is related to this: SheetJS/sheetjs#2667
Someone has actually made a replacement package there tho: https://www.npmjs.com/package/@e965/xlsx, which is build on the new git repo

@jesse-tong
Copy link

@cscan Please response to this since this is quite important tho (the original npm package has been abandoned and the xlsx maintainers did not even mention anything on npm)

ZENG-JING-YUAN added a commit to San-17150419/fp_fe that referenced this issue Jul 26, 2024
@ZENG-JING-YUAN
chore: Remove unused and unsafe dependency
01c46d7 
`xlsx` is removed due to the author is no longer publishing update to
the npm registry. The current version on npm is vulnerable to a
Prototype Pollution attack.
(read:cscan/vue3-excel-editor#49)
@cscan
Copy link
Owner

cscan commented Oct 31, 2024

I make npm install xlsx@latest, the version is still 0.18.5

@CageThrottleUs
Copy link

CageThrottleUs commented Dec 16, 2024
edited
Loading

I make npm install xlsx@latest, the version is still 0.18.5

I think the issue that is being discussed here is, that there are no new updates on npm.
The developers of the original xlsx package don't update their package on npm anymore. A solution would be to replace it with an updated version of the same package (https://www.npmjs.com/package/@e965/xlsx)

@Kedrihan
Copy link

Hello,
I've just sumbitted PR #69 to fix this.

@ChronosMasterOfAllTime
Copy link

ChronosMasterOfAllTime commented May 14, 2025
edited
Loading

@Kedrihan As a temporary workaround you can add the following in your package.json:

"overrides": {
  "dependency": {
    "vue3-excel-editor": {
        "xlsx": "npm:@e965/xlsx@^0.20.3",
    }
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@cscan @Kedrihan @goiaalexandru @ChronosMasterOfAllTime @jesse-tong @CageThrottleUs