CVE-2019-5032

Vulnerability

CVE-2019-5032 is an exploitable out-of-bounds read vulnerability in the LabelSst record parser of Aspose.Cells for C++ version 19.1.0. The issue exists in the library's handling of specially crafted XLS files during operations such as conversion to PDF. The vulnerable code path is reached when the library processes a malicious XLS file containing a malformed LabelSst record, triggering an out-of-bounds read from memory [1].

Exploitation

An attacker must deliver a specially crafted XLS file to a victim and convince them to open it using an application that leverages the vulnerable Aspose.Cells library (e.g., for file conversion or processing). The attack requires no authentication, network access, or user interaction beyond opening the file. Upon processing the file, the out-of-bounds read occurs, and the attacker can leverage the memory corruption to achieve remote code execution. The vulnerability is triggered when a malformed index in the LabelSst record causes an out-of-bounds read from a pointer array, as demonstrated in the Talos advisory [1].

Impact

Successful exploitation of CVE-2019-5032 allows an attacker to execute arbitrary code on the target system within the context of the application using Aspose.Cells. This could lead to full compromise of confidentiality, integrity, and availability (CIA), including data theft, system damage, or further lateral movement. The CVSSv3 score is 9.8 (Critical) due to the network vector, no privileges required, and high impact on all three CIA characteristics [1].

Mitigation

Aspose has released a fix in a newer version of the library. Users should upgrade to a version later than 19.1.0. As of the publication date (2019-08-21), the fixed version details are available through Aspose's official channels. There is no known workaround other than avoiding processing untrusted XLS files in vulnerable versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of 2025 [1].