Sonatype Delivers Premium Open Source Controls to GitHub | Press Release

blog-logo Sonatype Blog

Nexus Intelligence Insights: xlsx aka SheetJS - Regular Expression Denial of Service (ReDoS) and sonatype-2018-0622

May 06, 2020 By Akshay 'Ax' Sharma

For this month’s Nexus Intelligence Insights, we explore an interesting case of ReDoS vulnerability impacting the popular npm component, SheetJS, also known as “xlsx”. It may pique your interest to learn that this vulnerability was previously thought to be remedied through a fix. Adam Cazzolla of Sonatype Security Research later discovered this did not cover all malicious cases. 

Cases like this ReDoS discovery illustrate how interaction with the open source community helps keep components and software supply chains secure. Our Security Research team goes the extra mile to discover novel vulnerabilities, and identify those arising from insufficient fixes, with help from the community. When we do come across cases like this one, we follow responsible disclosure best practices and coordinate with the vendor to help remediate the vulnerability, and safeguard the open source community. 

It is worth commending the pace and professionalism at which the devs behind SheetJS worked during this responsible disclosure process. As soon as Sonatype notified them of the unpatched regular expression (regex) lurking in the app, the devs acknowledged the report within an hour of our email. Their engagement led to the vulnerability’s rapid resolution.

ReDoS vulnerabilities commonly occur when the regex being used to evaluate a string doesn’t take into account the numerous paths a regex engine will have to take during their evaluation, leading to catastrophic backtracking. In such an event, the regex matching engine consumes a large amount of CPU and/or memory resources. If a skilled attacker crafts a malicious input, a DoS condition will occur on the target host, all because of a string matching operation taking up much of the available resources. 

Name/Vulnerability Identifier: sonatype-2018-0622
Type of Vulnerability: Regular expression Denial of Service (ReDoS)

Components Affected:
npm: `xlsx` : [0.7.12, 0.16.0)
Maven Central: org.webjars.npm:js-xlsx : (,) i.e. all versions are vulnerable as of the writing this article. IQ scan is recommended for most up to date information.

Vulnerability Description:

SheetJS, released as “xlsx”, “js-xlsx” and known by other such synonyms, is a JavaScript library which lets you create Microsoft Excel workbooks from scratch, among performing other Excel tasks - all from the convenience of your web browser. Given Excel’s vast popularity in the corporate world, and the rise in usage of web apps (think Google Docs), it becomes vital to guard against even the minutest security flaws lurking in the SheetJS library.

Known by our proprietary identifier sonatype-2018-0622, the ReDoS vulnerability is present in the SheetJS npm component and how it evaluates the XML/HTML tags present in the user-provided input. Repeated character sequences of 50,000 characters initiate a delay of 2 seconds each in the application. An attacker can therefore supply a sufficiently large Excel (XML-formatted) file causing the SheetJS instance to freeze or eventually crash altogether.

The vulnerability had been previously remedied using an insufficient fix (Figure 1).

Figure 1. Previous security fix revising `xlmlregex` in an insufficient manner.

The developers subsequently corrected their regex pattern to prevent “catastrophic backtracking,” as a resolution to this vulnerability. Large-sized Excel XML files are no longer known to cause ReDoS in the application.

Figure 2. The final fix made in version 0.16.0 revises `xlmlregex` to resolve the ReDoS vulnerability.

Remediation advice:

Sonatype recommends upgrading to SheetJS version 0.16.0 or above, as present in npm downloads, which contains the fix for this vulnerability.

DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of malicious intent. Sonatype Nexus customers were notified of sonatype-2018-0622 within hours of the discovery. Their development teams automatically received instructions on how to remediate the risk.

If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Nexus Vulnerability Scanner to quickly find out.

Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one. Or subscribe to automatically receive Nexus Intelligence Insights hot off the press.

Tags: vulnerabilities, featured, Nexus Intelligence Insights, SheetJS, xlsx

Written by Akshay 'Ax' Sharma

Endorsed an Exceptional Talent (‘a recognized leader’) by the British Government, Akshay aka Ax is a Security Researcher at Sonatype and Engineer who holds passion for perpetual learning. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.