CVE-2021-32013
Description
SheetJS and SheetJS Pro through 0.16.9 are vulnerable to denial of service via memory exhaustion when parsing a crafted .xlsx file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SheetJS and SheetJS Pro through 0.16.9 are vulnerable to denial of service via memory exhaustion when parsing a crafted .xlsx file.
Vulnerability
SheetJS and SheetJS Pro versions up to and including 0.16.9 contain a vulnerability in the xlsx.js parser that mishandles crafted .xlsx documents, leading to excessive memory consumption. The issue is triggered when the library reads a maliciously crafted file, causing uncontrolled memory allocation. [1][2]
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted .xlsx file to an application that uses the affected SheetJS library. No authentication or special privileges are required if the application processes user-uploaded files. The attacker simply needs to deliver the malicious file, which when parsed by xlsx.js, causes the denial of service. [2]
Impact
Successful exploitation results in a denial of service condition due to memory exhaustion. The application may become unresponsive or crash, affecting availability. No data integrity or confidentiality is compromised. [1]
Mitigation
As of the publication date, no official patch has been disclosed in the available references. Users should upgrade to a version beyond 0.16.9 if available, or implement input validation and file size limits to mitigate the risk. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xlsxnpm | < 0.17.0 | 0.17.0 |
org.webjars.npm:xlsxMaven | < 0.17.0 | 0.17.0 |
Affected products
3- SheetJS/SheetJS Prodescription
- ghsa-coords2 versions
< 0.17.0+ 1 more
- (no CPE)range: < 0.17.0
- (no CPE)range: < 0.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- github.com/advisories/GHSA-8vcr-vxm8-293mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32013ghsaADVISORY
- floqast.com/engineering-blog/post/fuzzing-and-parsing-securelyghsaWEB
- floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/mitrex_refsource_MISC
- sheetjs.com/proghsax_refsource_MISCWEB
- www.npmjs.com/package/xlsx/v/0.17.0ghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.