CVE-2023-30533

HIGH

SheetJS Community Edition < 0.19.3 - Prototype Pollution via Crafted File

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-30533. PoCs published by BenEdridge, weareu.

AI-analyzed exploit summary This PoC demonstrates prototype pollution in SheetJS (xlsx) by reading a malicious Excel file, which modifies the prototype chain of objects. The code logs the state of object prototypes before and after pollution to confirm the vulnerability.

Description

SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.

Exploits (2)

nomisec WORKING POC 12 stars

by BenEdridge · poc

https://github.com/BenEdridge/CVE-2023-30533

View Code ZIP pw:eip

This PoC demonstrates prototype pollution in SheetJS (xlsx) by reading a malicious Excel file, which modifies the prototype chain of objects. The code logs the state of object prototypes before and after pollution to confirm the vulnerability.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: SheetJS Community Edition (xlsx) up to version 0.19.2

No auth needed

Prerequisites: A malicious Excel file ('threaded_comment_bad.xlsx') must be present in the working directory

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by weareu · poc

https://github.com/weareu/xlsx

View Code ZIP pw:eip

This repository appears to be a legitimate SheetJS library fork but contains no exploit code or technical details related to CVE-2023-30533. The files are standard library components (minified JS, changelog, README) with no PoC or vulnerability analysis.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: SheetJS xlsx library

No auth needed

devstral-2 · analyzed Feb 20, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory

https://cdn.sheetjs.com/advisories/CVE-2023-30533

Release Notes

https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md

Issue Tracking

https://git.sheetjs.com/sheetjs/sheetjs/issues/2986

Scores

CVSS v3 7.8

EPSS 0.0880

EPSS Percentile 92.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1321

Status published

Products (2)

npm/xlsx 0npm

sheetjs/sheetjs < 0.19.3

Published Apr 24, 2023

Tracked Since Feb 18, 2026