[NEW] CVE-2026-38359: xlsx ZIP Header Memory Allocation DoS

[tldhs1144]

Summary

Submitting a new advisory for SheetJS xlsx Community Edition (npm).

• CVE: CVE-2026-38359 (assigned by MITRE on 2026-05-06)
• Package: xlsx (npm, ~2M weekly downloads)
• Affected: all versions ≤ 0.18.5 (Community Edition unmaintained since 2022)
• Severity: CVSS 3.1 — 8.6 HIGH (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
• CWE: CWE-400 / CWE-409 (Resource Exhaustion / Decompression Bomb)
• Patch: None — Community Edition is unmaintained

Why a PR (not a repo Security advisory)

SheetJS Community Edition has been unmaintained since 2022; active development moved to the commercial Pro product. This community PR is the path of last resort to surface the issue in npm audit / Dependabot.

What I'm asking from the curation team

• Assign a real GHSA-xxxx-xxxx-xxxx ID to replace xlsx-zip-bomb-cve-2026-38359
• Add to the github-reviewed index

Vulnerability summary

The parser reads the uncompressed-size field from the ZIP local file header (xlsx.js:2670) and passes it directly to Buffer.allocUnsafe() (xlsx.js:2529) without any maximum-size or compression-ratio check. The "consistency check" against the central directory (line 2700-2701) is ineffective because both headers are attacker-controlled.

A ~10 KB XLSX file with modified ZIP headers declaring 10 GB total uncompressed size reliably triggers an out-of-memory crash on Node.js.

Researcher

Sion Park (tldhs1144@gmail.com)

Companion submissions in parallel PRs:

• CVE-2026-38357 (msgpack-lite recursion)
• CVE-2026-38358 (xlsx unescapexml() recursion)