CVE-2021-32014
Description
SheetJS and SheetJS Pro through 0.16.9 are vulnerable to denial of service via crafted .xlsx files mishandled by xlsx.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SheetJS and SheetJS Pro through 0.16.9 are vulnerable to denial of service via crafted .xlsx files mishandled by xlsx.js.
Vulnerability
SheetJS and SheetJS Pro through version 0.16.9 contain a denial-of-service vulnerability when parsing a specially crafted .xlsx document. The issue lies in the xlsx.js file, which does not properly handle malformed input, leading to excessive CPU consumption [1].
Exploitation
An attacker can cause a denial of service by providing a crafted .xlsx file to the application. The file is processed by xlsx.js, which enters a resource-intensive loop or hangs. No authentication or special privileges are required if the application accepts user-supplied files [2].
Impact
Successful exploitation results in high CPU consumption, potentially making the application unresponsive or causing a denial of service. The impact is limited to availability; confidentiality and integrity are not compromised [1].
Mitigation
As of the publication date, the fix is included in versions after 0.16.9. Users should upgrade to a patched version. If upgrading is not possible, avoid processing untrusted .xlsx files or use input validation [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xlsxnpm | < 0.17.0 | 0.17.0 |
org.webjars.npm:xlsxMaven | < 0.17.0 | 0.17.0 |
Affected products
3- SheetJS/SheetJS Prodescription
- ghsa-coords2 versions
< 0.17.0+ 1 more
- (no CPE)range: < 0.17.0
- (no CPE)range: < 0.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- github.com/advisories/GHSA-g973-978j-2c3pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32014ghsaADVISORY
- floqast.com/engineering-blog/post/fuzzing-and-parsing-securelyghsaWEB
- floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/mitrex_refsource_MISC
- sheetjs.com/proghsax_refsource_MISCWEB
- www.npmjs.com/package/xlsx/v/0.17.0ghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.