CVE-2021-32012
Description
SheetJS and SheetJS Pro prior to 0.16.9 are vulnerable to denial of service via memory exhaustion when parsing a crafted .xlsx file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SheetJS and SheetJS Pro prior to 0.16.9 are vulnerable to denial of service via memory exhaustion when parsing a crafted .xlsx file.
Vulnerability
SheetJS and SheetJS Pro through version 0.16.9 are susceptible to a denial of service (memory exhaustion) vulnerability when processing a specially crafted .xlsx file. The issue is triggered during the parsing of workbook structures in the library's xlsx.js component. No special configuration is required beyond the library's default parsing behavior; any application using SheetJS to read user-supplied Excel documents is affected [1].
Exploitation
An attacker needs only to provide a malicious .xlsx file to an application that parses it with SheetJS. The crafted document contains structures that trigger excessive memory allocation during parsing. No authentication, network position, or user interaction aside from triggering the file parse operation is required [2].
Impact
Successful exploitation results in a denial of service condition due to uncontrolled memory consumption, impacting application availability. The attack does not lead to information disclosure, privilege escalation, or code execution; the sole outcome is resource exhaustion that may crash the hosting process or degrade system performance [1].
Mitigation
The vulnerability is fixed in SheetJS version 0.16.9 and later. Users should update to the latest release. As a workaround, organizations can limit the size and complexity of uploaded .xlsx files, or employ external scanning tools to detect malformed documents before they reach the library. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xlsxnpm | < 0.17.0 | 0.17.0 |
org.webjars.npm:xlsxMaven | < 0.17.0 | 0.17.0 |
Affected products
3- SheetJS/SheetJS Prodescription
- ghsa-coords2 versions
< 0.17.0+ 1 more
- (no CPE)range: < 0.17.0
- (no CPE)range: < 0.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- github.com/advisories/GHSA-3x9f-74h4-2fqrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32012ghsaADVISORY
- floqast.com/engineering-blog/post/fuzzing-and-parsing-securelyghsaWEB
- floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/mitrex_refsource_MISC
- sheetjs.com/proghsax_refsource_MISCWEB
- www.npmjs.com/package/xlsx/v/0.17.0ghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.