CVE-2023-30533
Published: 24 April 2023
Summary
CVE-2023-30533 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Sheetjs Sheetjs. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
SheetJS Community Edition before version 0.19.3 is affected by a prototype pollution vulnerability, tracked as CVE-2023-30533 and assigned CWE-1321. The flaw allows an attacker to supply a specially crafted spreadsheet file that, when parsed by the library, pollutes JavaScript object prototypes. The issue is present in all releases through 0.19.2 and was corrected in 0.19.3.
An attacker can exploit the vulnerability by delivering a malicious file to a victim who then opens it with an application that uses the vulnerable SheetJS library. Because the CVSS vector indicates local access, no privileges, and required user interaction, successful exploitation can result in arbitrary code execution or other impacts that affect confidentiality, integrity, and availability.
The vendor advisory at cdn.sheetjs.com and the project changelog both recommend upgrading to SheetJS Community Edition 0.19.3 or later. The associated Git repository issue and commit history confirm that the prototype-pollution vectors were removed in that release.
The EPSS score has remained flat at 0.0880 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1194
Vulnerability details
SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.