<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cwe-770 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cwe-770/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:29:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cwe-770/feed.xml" rel="self" type="application/rss+xml"/><item><title>Excelize Unbounded Row Index Allocation Denial-of-Service Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-excelize-dos/</link><pubDate>Fri, 10 Jul 2026 19:29:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-excelize-dos/</guid><description>An unbounded row index allocation vulnerability (CWE-770) exists in the `checkSheet()` function of the `github.com/xuri/excelize/v2` library, allowing an unauthenticated attacker to craft a malicious XLSX file with a specially crafted row index value that triggers an out-of-memory error or runtime panic, leading to a denial-of-service condition in Go applications processing untrusted spreadsheets.</description><content:encoded><![CDATA[<p>An unauthenticated attacker can exploit a denial-of-service vulnerability (CWE-770) in the <code>github.com/xuri/excelize/v2</code> Go library, affecting versions up to the fix. The vulnerability arises from unbounded row index allocation within the <code>checkSheet()</code> function, which fails to validate the attacker-controlled <code>&lt;row r=&quot;N&quot;&gt;</code> XML attribute value in a malicious XLSX file. By crafting an XLSX file with an extremely large (e.g., 2147483647) or negative (e.g., -1) row index, attackers can trigger either a critical out-of-memory condition, leading to a process kill, or a runtime panic due to an out-of-bounds slice index. This impacts any Go application that uses the <code>excelize/v2</code> library to process untrusted XLSX documents, such as web services with upload endpoints or CLI tools, enabling trivial, unauthenticated service disruption with a small payload.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious XLSX file, embedding an excessively large (e.g., <code>r=&quot;2147483647&quot;</code>) or negative (e.g., <code>r=&quot;-1&quot;</code>) value in the <code>&lt;row r=&quot;...&quot;&gt;</code> XML attribute within <code>xl/worksheets/sheet1.xml</code>.</li>
<li>A legitimate Go application opens this malicious XLSX file using the <code>excelize.OpenFile()</code> function.</li>
<li>The application then attempts to read cell values by calling <code>GetCellValue()</code> or any other API that internally invokes <code>workSheetReader</code>.</li>
<li>The <code>workSheetReader</code> component decodes the worksheet XML, deserializing the attacker-controlled <code>r</code> attribute value into an integer without any initial bounds validation.</li>
<li>The <code>checkSheet()</code> function processes the sheet data, encountering the invalid <code>r</code> value.</li>
<li>Within <code>checkSheet()</code>, the library attempts to allocate a slice using <code>make([]xlsxRow, row)</code> where <code>row</code> is the attacker-controlled large or negative value.</li>
<li>If <code>row</code> is excessively large (e.g., 2147483647), this triggers an attempt to allocate approximately 16 GB of memory, leading to an out-of-memory (OOM) error and process termination.</li>
<li>If <code>row</code> is negative (e.g., -1), subsequent operations on the <code>sheetData.Row</code> slice result in an <code>index out of range</code> runtime panic, crashing the application.</li>
<li>The Go application terminates abnormally, resulting in a denial-of-service condition for users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This is a critical Denial-of-Service vulnerability. An unauthenticated remote attacker can trivially crash or memory-exhaust any Go application that utilizes the <code>github.com/xuri/excelize/v2</code> library to open untrusted XLSX files and subsequently calls cell-reading APIs like <code>GetCellValue</code>. Affected systems include web services with spreadsheet upload or import functionality, data processing pipelines, and CLI tools that parse user-supplied spreadsheets. The attack requires no authentication and minimal user interaction (e.g., uploading the malicious file). The payload is a compact, few-hundred-byte XLSX file, making it easy to deliver. Repeated or concurrent exploitation can severely disrupt or completely deny service to all users of the vulnerable application.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>github.com/xuri/excelize/v2</code> to a patched version immediately to remediate the unbounded row index allocation vulnerability.</li>
<li>Implement robust resource limits for any application processing untrusted files to mitigate the impact of potential memory exhaustion attacks.</li>
<li>Monitor application logs for <code>fatal error: runtime: out of memory</code> messages or <code>panic: runtime error: index out of range</code> messages originating from the <code>excelize</code> library to detect attempted or successful exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>vulnerability</category><category>denial-of-service</category><category>golang</category><category>xlsx</category><category>library</category><category>cwe-770</category></item></channel></rss>