PGV-2330205 - Prototype Pollution in sheetJS

Disclosed on April 24, 2023 (updated September 19, 2025)

Vulnerability Overview

PGV-2330205 is a category 1 vulnerabilty that affects xlsx, versions (all)

CVSS Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Risk Assessment

The risk assessment shows that this vulnerability is exlpoited by a compromised user. A legitimate user who unknowingly triggers exploitation of this vulnerability through normal interaction.

The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.

The threat damage is caused by a denial of service. Exploitation can completely deny access to the application, resulting in a full outage.is caused by a data breach. Exploitation can result in full access to data within the system.is caused by data tampering. Exploitation can result in modification of any data (authorized or not) within the system.

Vulnerability Details

All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained. Version 0.19.3 can be downloaded via https://cdn.sheetjs.com/.

Common Weakness Enumerations

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Additional References

Your Risk Profile

Network Exposure	External Accessable from the public internet
Access Interface	WebBrowser Primarily web-based applications
Service Outage	Disruptive Operations would be impacted
Data Breach	Disruptive Operations would be impacted
Data Tampering	Disruptive Operations would be impacted
Customize

Additional Identifiers

CVE-2023-30533
GHSA-4r6h-8v6p-xvw6