Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote, low-complexity, unauthenticated parsing of an attacker file with no user interaction; impact is availability-only (OOM/panic) with no confidentiality or integrity loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the checkSheet() function in github.com/xuri/excelize/v2 uses an attacker-controlled <row r="N"> XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when r=2147483647 forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when r=-1. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. No authentication is required. This issue is fixed in version 2.11.0.
AnalysisAI
Denial of service in the Excelize Go library (github.com/xuri/excelize/v2, a.k.a. qax-os/excelize) before 2.11.0 allows remote attackers to crash any service that opens attacker-supplied XLSX files and reads cell values. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target service (1) uses Excelize prior to 2.11.0, (2) opens an XLSX file whose contents the attacker controls or can supply, and (3) invokes a parsing path that reaches checkSheet(), such as GetCellValue after OpenFile/OpenReader. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High) is well-supported by the description: network-reachable, low-complexity, no privileges or interaction, with availability-only impact and no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a crafted XLSX to a document-processing endpoint (or emails it to an automated attachment parser) whose worksheet XML contains <row r="2147483647">, and when the service calls GetCellValue the library attempts a ~16 GB allocation and the process is OOM-killed. Alternatively, an r="-1" value causes an out-of-bounds slice index and an unrecovered panic that crashes the worker. … |
| Remediation | Primary fix: upgrade the Excelize dependency to version 2.11.0 or later - Vendor-released patch: v2.11.0 - for example run 'go get github.com/xuri/excelize/v2@v2.11.0' and rebuild, per the release at https://github.com/qax-os/excelize/releases/tag/v2.11.0 and advisory https://github.com/qax-os/excelize/security/advisories/GHSA-h69g-9hx6-f3v4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all services using Excelize versions before 2.11.0; restrict XLSX file uploads to authenticated, trusted sources only; implement file validation to reject XLSX files with suspicious row attributes (r parameter values). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Uncontrolled memory and CPU consumption in Excelize (qax-os/excelize), the widely used Go library for reading and writin
Panic-triggering denial of service in the Excelize Go library (all versions prior to 2.11.0) allows any actor who can su
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42938
GHSA-h69g-9hx6-f3v4