[NEW] CVE-2026-38358: xlsx unescapexml() Unbounded Recursion DoS

[tldhs1144]

Summary

Submitting a new advisory for SheetJS xlsx Community Edition (npm).

• CVE: CVE-2026-38358 (assigned by MITRE on 2026-05-06)
• Package: xlsx (npm, ~2M weekly downloads)
• Affected: all versions ≤ 0.18.5 (Community Edition unmaintained since 2022)
• Severity: CVSS 3.1 — 8.6 HIGH (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
• CWE: CWE-674 (Uncontrolled Recursion)
• Patch: None — Community Edition is unmaintained

Why a PR (not a repo Security advisory)

SheetJS publishes the xlsx Community Edition on npm but has shifted active development to the commercial Pro product. The upstream repository SheetJS/sheetjs has not received Community-Edition fixes since 2022. This community PR is the path of last resort to surface the issue in npm audit / Dependabot.

What I'm asking from the curation team

• Assign a real GHSA-xxxx-xxxx-xxxx ID to replace xlsx-cdata-recursion-cve-2026-38358
• Add to the github-reviewed index

Vulnerability summary

unescapexml() (xlsx.js:3501-3506) recursively processes each <![CDATA[...]]> token by calling itself on the suffix substring. No depth tracking. An XLSX file (~126 KB) with ~9,000 sequential CDATA tokens in xl/sharedStrings.xml reliably crashes Node.js v18+ with RangeError: Maximum call stack size exceeded.

Why CVSS Scope:Changed (8.6 not 7.5): the vulnerable component is the parser library, but the crashed component is the host application process containing arbitrary user code — different security authority.

Researcher

Sion Park (tldhs1144@gmail.com)

Companion submissions in parallel PRs:

• CVE-2026-38357 (msgpack-lite recursion)
• CVE-2026-38359 (xlsx ZIP header memory allocation)