Cyber Resilience

CVE-2023-30533

High

Published: 24 April 2023

Published
24 April 2023
Modified
04 February 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0880 92.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-30533 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Sheetjs Sheetjs. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

SheetJS Community Edition before version 0.19.3 is affected by a prototype pollution vulnerability, tracked as CVE-2023-30533 and assigned CWE-1321. The flaw allows an attacker to supply a specially crafted spreadsheet file that, when parsed by the library, pollutes JavaScript object prototypes. The issue is present in all releases through 0.19.2 and was corrected in 0.19.3.

An attacker can exploit the vulnerability by delivering a malicious file to a victim who then opens it with an application that uses the vulnerable SheetJS library. Because the CVSS vector indicates local access, no privileges, and required user interaction, successful exploitation can result in arbitrary code execution or other impacts that affect confidentiality, integrity, and availability.

The vendor advisory at cdn.sheetjs.com and the project changelog both recommend upgrading to SheetJS Community Edition 0.19.3 or later. The associated Git repository issue and commit history confirm that the prototype-pollution vectors were removed in that release.

The EPSS score has remained flat at 0.0880 with no material increase since disclosure.

EU & UK References

Vulnerability details

SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sheetjs
sheetjs
≤ 0.19.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References