CVE-2026-59161

QAX-OS · excelize

The Excelize Go library is vulnerable to uncontrolled resource consumption, which can lead to a Denial of Service (DoS) when processing maliciously crafted spreadsheet files.

Executive summary

A resource exhaustion vulnerability in the Excelize library could allow remote attackers to cause a denial of service on applications processing Excel files.

Vulnerability

This vulnerability involves CWE-400 and CWE-770, where the library fails to properly limit or throttle resource allocation during spreadsheet parsing. An unauthenticated attacker can trigger this condition by providing a specially crafted file, leading to excessive memory or CPU consumption.

Business impact

The inability to process files safely can lead to significant application downtime, impacting business operations that rely on spreadsheet data ingestion. With a CVSS score of 8.7, this vulnerability presents a high risk to system availability, potentially disrupting automated workflows and service delivery.

Remediation

Immediate Action: Update the excelize library to version 2.11.0 or later to implement necessary resource limits and throttling mechanisms.

Proactive Monitoring: Review application performance metrics and error logs for spikes in resource usage or unexpected crashes during file processing.

Compensating Controls: Implement file size limits and sandboxing for file processing tasks to contain the impact of potential resource exhaustion attacks.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Developers and system administrators should prioritize updating the excelize dependency in their Go projects. Preventing resource exhaustion is critical for maintaining application uptime, and adopting the latest version is the only definitive way to address the underlying logic flaw.