CVE-2024-22363 Overview
CVE-2024-22363 is a Regular Expression Denial of Service (ReDoS) vulnerability in SheetJS Community Edition versions prior to 0.20.2. The flaw resides in regular expression patterns used by the library to parse spreadsheet content. An attacker who supplies a crafted input file or string can force catastrophic backtracking, causing excessive CPU consumption and stalling the host application. SheetJS is widely embedded in web and Node.js applications that import, export, or transform spreadsheet data, making the attack surface remote and unauthenticated. The vulnerability is tracked under CWE-1333: Inefficient Regular Expression Complexity.
Critical Impact
Remote, unauthenticated attackers can exhaust CPU resources by submitting crafted spreadsheet input, leading to availability loss for applications that process untrusted files through SheetJS.
Affected Products
- SheetJS Community Edition versions prior to 0.20.2
- Web applications embedding vulnerable SheetJS builds for client-side spreadsheet parsing
- Node.js services that ingest user-supplied spreadsheet data via SheetJS
Discovery Timeline
- 2024-04-05 - CVE-2024-22363 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-22363
Vulnerability Analysis
The vulnerability is an algorithmic complexity flaw in SheetJS Community Edition. SheetJS parses spreadsheet formats including XLSX, CSV, and HTML by applying regular expressions to tokenize cell content and metadata. One or more of these patterns exhibit super-linear backtracking when matched against adversarial input.
When the regex engine encounters such input, it explores an exponential number of match paths before giving up. The parsing thread blocks while consuming CPU cycles. In single-threaded runtimes like Node.js or a browser tab, this stalls the entire event loop, denying service to all concurrent users of that process. The issue impacts only availability — confidentiality and integrity are not affected.
The fix shipped in SheetJS 0.20.2 rewrites the affected expressions to eliminate ambiguous alternations and nested quantifiers. Consult the SheetJS Security Advisory and the SheetJS Git Repository v0.20.2 for the corrected parser logic.
Root Cause
The root cause is inefficient regular expression complexity [CWE-1333]. Patterns containing overlapping alternatives or nested repetition operators allow a crafted input string to trigger catastrophic backtracking in the underlying regex engine. The engine attempts every permutation of the ambiguous match before failing, producing runtime that scales exponentially with input length.
Attack Vector
The attack vector is network-reachable and requires no authentication or user interaction beyond submitting input. An attacker uploads or posts a malicious spreadsheet file, CSV payload, or HTML table to any endpoint that hands the data to SheetJS for parsing. The crafted payload contains a string region designed to maximize backtracking in the vulnerable regex. The application thread then hangs, exhausting one CPU core per request. Submitting multiple parallel requests can take down the entire service.
No verified public proof-of-concept code is available. The mechanism is documented in the vendor advisory linked above.
Detection Methods for CVE-2024-22363
Indicators of Compromise
- Sustained 100% CPU utilization on a single thread of a Node.js or browser process performing spreadsheet parsing
- Long-running or hanging HTTP requests to endpoints that accept spreadsheet uploads, with response times exceeding normal parsing duration by orders of magnitude
- Application logs showing parser invocations that never return or are killed by request timeouts
Detection Strategies
- Inventory all applications and dependencies for SheetJS Community Edition versions below 0.20.2 using software composition analysis tooling
- Instrument spreadsheet parsing code paths with execution-time metrics and alert on outliers exceeding a defined threshold
- Inspect ingress traffic for spreadsheet payloads containing unusually long repeated character sequences typical of ReDoS triggers
Monitoring Recommendations
- Track event-loop lag in Node.js services that consume SheetJS and alert when lag exceeds normal baselines
- Monitor CPU saturation per worker process alongside request queue depth on file-processing endpoints
- Log every spreadsheet upload with size, content type, and processing duration to enable retrospective hunting
How to Mitigate CVE-2024-22363
Immediate Actions Required
- Upgrade SheetJS Community Edition to version 0.20.2 or later across all applications and bundled assets
- Audit transitive dependencies for vulnerable SheetJS versions and rebuild downstream packages
- Apply request timeouts and CPU limits to any endpoint that parses user-supplied spreadsheet data
Patch Information
Upgrade to SheetJS Community Edition 0.20.2 or newer. Release artifacts and source are available from the SheetJS Git Repository v0.20.2. Verify that bundled front-end builds are rebuilt against the patched version, since browser-side copies are not updated by server-side package upgrades alone.
Workarounds
- Enforce strict input size limits on spreadsheet uploads to bound worst-case parser runtime
- Run SheetJS parsing inside a worker thread or isolated process with a hard execution-time kill switch
- Reject content types and file extensions that the application does not require, reducing exposure to crafted payloads
# Configuration example: upgrade SheetJS and verify version
npm install xlsx@0.20.2
npm ls xlsx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
