All versions of SheetJS CE through 0.19.2 are vulnerable to “Prototype Pollution” when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.
All releases of SheetJS Community Edition up to version 0.19.2 are affected. This includes:
- scripts and modules on the SheetJS CDN through version 0.19.2 [2]
- modules published with the name `xlsx` on npmjs.com [3]
- scripts on third-party CDNs that pull from the `xlsx` package on npmjs.com [4] [5]
- modules published with the name `sheetjs` on deno.land [6]
What do you think?
It is nice to know your opinion. Leave a comment.