Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker controls only an untrusted input file (AV:N, PR:N, UI:N, AC:L) and impact is a pure resource-exhaustion DoS, so C:N/I:N with A:H and unchanged scope.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the streaming worksheet reader used by Rows and GetRows does not enforce the TotalRows limit on the row r attribute, allowing a small XLSX file with a row number above 1048576 and no cell coordinate to make GetRows append empty rows up to the attacker-controlled index and consume excessive memory and CPU. This issue is fixed in version 2.11.0.
AnalysisAI
Uncontrolled memory and CPU consumption in Excelize (qax-os/excelize), the widely used Go library for reading and writing Microsoft Excel spreadsheets, before version 2.11.0 lets a crafted XLSX file trigger a denial of service. The streaming worksheet reader behind the Rows and GetRows APIs fails to enforce the TotalRows (1,048,576) limit on the row 'r' attribute, so a tiny file declaring an out-of-range row index with no cell coordinate forces GetRows to allocate empty rows up to that attacker-chosen index. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a target application built on Excelize prior to 2.11.0 parse an attacker-supplied XLSX file through the streaming Rows or GetRows readers. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a small, well-formed XLSX file to a service that uses a pre-2.11.0 Excelize to extract sheet contents via GetRows. The file contains a single row element with r set far above 1,048,576 and no cell coordinates, causing the parser to allocate empty rows up to that index and spike memory and CPU until the worker or host is exhausted. … |
| Remediation | Vendor-released patch: 2.11.0 - upgrade the dependency to v2.11.0 or later and rebuild/redeploy as the primary and complete fix; the corrective change is in PR https://github.com/qax-os/excelize/pull/2331 and commit 93f0b3caed37f21ef5079e3259c6c21dcfe68453, with details in advisory https://github.com/qax-os/excelize/security/advisories/GHSA-q5j5-6p94-4gwc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all applications and services using Excelize library (particularly those accepting user-uploaded files) via dependency scanning. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial of service in the Excelize Go library (github.com/xuri/excelize/v2, a.k.a. qax-os/excelize) before 2.11.0 allows
Panic-triggering denial of service in the Excelize Go library (all versions prior to 2.11.0) allows any actor who can su
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42936