{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/xuri/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["excelize v2"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","denial-of-service","golang","xlsx","library","cwe-770"],"_cs_type":"advisory","_cs_vendors":["xuri"],"content_html":"\u003cp\u003eAn unauthenticated attacker can exploit a denial-of-service vulnerability (CWE-770) in the \u003ccode\u003egithub.com/xuri/excelize/v2\u003c/code\u003e Go library, affecting versions up to the fix. The vulnerability arises from unbounded row index allocation within the \u003ccode\u003echeckSheet()\u003c/code\u003e function, which fails to validate the attacker-controlled \u003ccode\u003e\u0026lt;row r=\u0026quot;N\u0026quot;\u0026gt;\u003c/code\u003e XML attribute value in a malicious XLSX file. By crafting an XLSX file with an extremely large (e.g., 2147483647) or negative (e.g., -1) row index, attackers can trigger either a critical out-of-memory condition, leading to a process kill, or a runtime panic due to an out-of-bounds slice index. This impacts any Go application that uses the \u003ccode\u003eexcelize/v2\u003c/code\u003e library to process untrusted XLSX documents, such as web services with upload endpoints or CLI tools, enabling trivial, unauthenticated service disruption with a small payload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XLSX file, embedding an excessively large (e.g., \u003ccode\u003er=\u0026quot;2147483647\u0026quot;\u003c/code\u003e) or negative (e.g., \u003ccode\u003er=\u0026quot;-1\u0026quot;\u003c/code\u003e) value in the \u003ccode\u003e\u0026lt;row r=\u0026quot;...\u0026quot;\u0026gt;\u003c/code\u003e XML attribute within \u003ccode\u003exl/worksheets/sheet1.xml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA legitimate Go application opens this malicious XLSX file using the \u003ccode\u003eexcelize.OpenFile()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe application then attempts to read cell values by calling \u003ccode\u003eGetCellValue()\u003c/code\u003e or any other API that internally invokes \u003ccode\u003eworkSheetReader\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eworkSheetReader\u003c/code\u003e component decodes the worksheet XML, deserializing the attacker-controlled \u003ccode\u003er\u003c/code\u003e attribute value into an integer without any initial bounds validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echeckSheet()\u003c/code\u003e function processes the sheet data, encountering the invalid \u003ccode\u003er\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003echeckSheet()\u003c/code\u003e, the library attempts to allocate a slice using \u003ccode\u003emake([]xlsxRow, row)\u003c/code\u003e where \u003ccode\u003erow\u003c/code\u003e is the attacker-controlled large or negative value.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003erow\u003c/code\u003e is excessively large (e.g., 2147483647), this triggers an attempt to allocate approximately 16 GB of memory, leading to an out-of-memory (OOM) error and process termination.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003erow\u003c/code\u003e is negative (e.g., -1), subsequent operations on the \u003ccode\u003esheetData.Row\u003c/code\u003e slice result in an \u003ccode\u003eindex out of range\u003c/code\u003e runtime panic, crashing the application.\u003c/li\u003e\n\u003cli\u003eThe Go application terminates abnormally, resulting in a denial-of-service condition for users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis is a critical Denial-of-Service vulnerability. An unauthenticated remote attacker can trivially crash or memory-exhaust any Go application that utilizes the \u003ccode\u003egithub.com/xuri/excelize/v2\u003c/code\u003e library to open untrusted XLSX files and subsequently calls cell-reading APIs like \u003ccode\u003eGetCellValue\u003c/code\u003e. Affected systems include web services with spreadsheet upload or import functionality, data processing pipelines, and CLI tools that parse user-supplied spreadsheets. The attack requires no authentication and minimal user interaction (e.g., uploading the malicious file). The payload is a compact, few-hundred-byte XLSX file, making it easy to deliver. Repeated or concurrent exploitation can severely disrupt or completely deny service to all users of the vulnerable application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003egithub.com/xuri/excelize/v2\u003c/code\u003e to a patched version immediately to remediate the unbounded row index allocation vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement robust resource limits for any application processing untrusted files to mitigate the impact of potential memory exhaustion attacks.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for \u003ccode\u003efatal error: runtime: out of memory\u003c/code\u003e messages or \u003ccode\u003epanic: runtime error: index out of range\u003c/code\u003e messages originating from the \u003ccode\u003eexcelize\u003c/code\u003e library to detect attempted or successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:29:53Z","date_published":"2026-07-10T19:29:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-excelize-dos/","summary":"An unbounded row index allocation vulnerability (CWE-770) exists in the `checkSheet()` function of the `github.com/xuri/excelize/v2` library, allowing an unauthenticated attacker to craft a malicious XLSX file with a specially crafted row index value that triggers an out-of-memory error or runtime panic, leading to a denial-of-service condition in Go applications processing untrusted spreadsheets.","title":"Excelize Unbounded Row Index Allocation Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-excelize-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Xuri","version":"https://jsonfeed.org/version/1.1"}