[Security] Prototype Pollution in sheetJS

[lukewang2018]

[Security] Prototype Pollution in sheetJS

GHSA-4r6h-8v6p-xvw6

Affected version: 0.19.3

Description
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

References
https://nvd.nist.gov/vuln/detail/CVE-2023-30533
https://cdn.sheetjs.com/advisories/CVE-2023-30533
https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md

[mushishi78]

Am I the only one confused that it say it's fixed in 0.19.3 but the latest release of this is 0.18.5?

Ah I can see your meant to do yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz. Don't mind me. https://docs.sheetjs.com/docs/getting-started/installation/nodejs

[amorimrafael]

Hi guys,

Does anyone know if they have plans to publish this version here on github?

[invaderb]

+1 for an update on this?

[jimmykane]

Why is this not published to NPM ?

[Cellule]

As explained in the Readme, this project is no longer maintained on Github and no longer published to npm.
I don't know the reasons why, but moving forward you are supposed to install using their cdn yarn add xlsx@https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

sheetjs/README.md

Lines 3 to 16 in 5b4806b

	> ## 🏠 New Home
	>
	> The new home for SheetJS CE is <https://git.sheetjs.com/sheetjs/sheetjs>, a
	> hosted Gitea instance sponsored by SheetJS LLC. SheetJS CE remains a truly
	> open source project under the Apache 2.0 License.
	>
	> Issues should be raised at [the new issue tracker](https://git.sheetjs.com/sheetjs/sheetjs/issues).
	> Users can register directly or sign in with a valid GitHub account.
	>
	> [The documentation](https://docs.sheetjs.com/docs/getting-started/#installation)
	> includes instructions for using the new distribution points.
	>
	> Legacy distribution points (including the `SheetJS/sheetjs` Git repository on
	> GitHub and the `xlsx` package on npmjs.com) will not be receiving updates.

Relevant issue as to "why" they no longer publish on npm
https://git.sheetjs.com/sheetjs/sheetjs/issues/2667

I am too a little concerned about how future CVE will be reported and notify users. I feel the switch out of npm didn't take into account security concerns.

[Cellule]

Opened another issue on their tracker for future CVE alerting (not explicit of this particular CVE), but more a concern for the future for people switching from NPM to their CDN
https://git.sheetjs.com/sheetjs/sheetjs/issues/2935

[invaderb]

That really is piss poor communication on the sheetjs team's part, having it just in their docs is not a wide enough reach to everyone that uses this package, there is nothing in the github readme or on the npm page about essentially the deprecation of the package on npmjs. They should throw up a banner or a message about it, especially for a package that gets 2 million weekly downloads...

I have the same concerns especially about missing out on future security issues with this package now that we have to use the CDN to get updates. I'm also weary about using smaller CDN's, there's a reason why npmjs is the standard and will be around much longer than sheetjs

Just to note for others you don't have to use yarn to install from the CDN you can still use npm or pnpm:
npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

[Snailedlt]

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here