Login Sign Up

CVE-2023-30533

7.8 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2023-30533 is a prototype pollution vulnerability in SheetJS Community Edition that allows attackers to modify JavaScript object prototypes by uploading a specially crafted file. This affects applications using SheetJS to parse Excel files, potentially leading to denial of service, data corruption, or remote code execution. All users of SheetJS Community Edition versions before 0.19.3 are affected.

💻 Affected Systems

Products:
  • SheetJS Community Edition (sheetjs)
Versions: All versions before 0.19.3
Operating Systems: All operating systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Community Edition; Pro Edition is not affected. Requires file parsing functionality to be exploited.

📦 What is this software?

Sheetjs by Sheetjs

View all CVEs affecting Sheetjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service, application crashes, or data corruption in affected applications.

🟢

If Mitigated

Limited impact with proper input validation and file upload restrictions in place.

🌐 Internet-Facing: HIGH - Any application accepting file uploads from untrusted sources is vulnerable.
🏢 Internal Only: MEDIUM - Internal users could exploit if they can upload malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires uploading a malicious file to an application using vulnerable SheetJS versions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.19.3 and later

Vendor Advisory: https://cdn.sheetjs.com/advisories/CVE-2023-30533

Restart Required: No

Instructions:

1. Update SheetJS Community Edition to version 0.19.3 or later using npm update sheetjs. 2. Verify the update with npm list sheetjs. 3. Test file parsing functionality after update.

🔧 Temporary Workarounds

Input Validation and File Restrictions

all

Implement strict file type validation and size limits for uploaded files.

Sandbox File Processing

all

Process uploaded files in isolated containers or serverless functions.

🧯 If You Can't Patch

  • Disable file upload functionality for untrusted users
  • Implement Web Application Firewall (WAF) rules to block malicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list sheetjs to see if version is below 0.19.3.

Check Version:

npm list sheetjs | grep sheetjs

Verify Fix Applied:

Confirm sheetjs version is 0.19.3 or higher using npm list sheetjs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload patterns
  • Application crashes during file parsing
  • Error logs mentioning SheetJS or prototype pollution

Network Indicators:

  • Large or unusual file uploads to endpoints handling Excel files
  • Multiple failed parsing attempts

SIEM Query:

source="application.log" AND ("sheetjs" OR "prototype pollution" OR "file parsing error")

📊 Metadata

CVE ID: CVE-2023-30533
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: April 24, 2023
Last Updated: February 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30533, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)