sheetjs/sheetjs
54
Fork 48
Code Issues 200 Pull Requests 14 Wiki Activity

URL Re director Abuse due to link to non existing domain found #3312

New Issue
Closed
opened 2025-07-07 23:12:30 +00:00 by Tran-Steven · 1 comment
Tran-Steven commented 2025-07-07 23:12:30 +00:00
Copy Link

Version 0.20.3

My team uses xlsx-0.20.3.tgz for our application. We recently had an Appscan done on our application and a couple of High severity vulnerabilities were found.

Issue type: link to non existing domain found
Threat class: URL redirector abuse
Severity: High
http://schemas.openxmlformats.org/

this was found in the static/js/main.*.js file when building

I did a work around where I edited every reference of schemas.openxmlformats.org to an empty string. This resulted in the domain/URLs no longer appearing, but .xlsx files returning a namespace error, but .csv files work.

Version 0.20.3 My team uses xlsx-0.20.3.tgz for our application. We recently had an Appscan done on our application and a couple of High severity vulnerabilities were found. Issue type: link to non existing domain found Threat class: URL redirector abuse Severity: High http://schemas.openxmlformats.org/ this was found in the static/js/main.*.js file when building I did a work around where I edited every reference of schemas.openxmlformats.org to an empty string. This resulted in the domain/URLs no longer appearing, but .xlsx files returning a namespace error, but .csv files work.
sheetjs commented 2025-07-08 03:23:10 +00:00
Owner
Copy Link

Note that this has been reported before: #2829

As this is an issue out of our control, please direct the security vendor to this response.

The domain http://schemas.openxmlformats.org/ is required

XLSX files are ZIP files that contain XML files.

XML Namespaces are required in the various XML files. This means, at a bare minimum, the namespace URLs must exist in some form in the library.

ECMA-376 Part 2 details the required XML namespace URLs. Unfortunately there is no HTML rendering, so you will need to download the ZIP file and extract to find the PDF.

For example, Section 6.5.2 "Relationships part" defines the various .rels files in the XLSX file:

i3312-relationships.png

The expected namespace, which must be included in the library, is a URL from the domain http://schemas.openxmlformats.org/

Who can resolve the issue?

According to the whois data, openxmlformats.org was registered in 2005 by the Microsoft Corporation:

Domain Name: openxmlformats.org
Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR
...
Updated Date: 2024-10-26T05:05:39Z
Creation Date: 2005-10-25T20:06:53Z
Registry Expiry Date: 2025-10-25T20:06:53Z
...
Registrant Organization: Microsoft Corporation

Ultimately the only party that can fix the problem is Microsoft.

Note that this has been reported before: https://git.sheetjs.com/sheetjs/sheetjs/issues/2829 As this is an issue out of our control, please direct the security vendor to this response. **The domain `http://schemas.openxmlformats.org/` is required** XLSX files are ZIP files that contain XML files. [XML Namespaces](https://en.wikipedia.org/wiki/XML_namespace) are required in the various XML files. This means, at a bare minimum, the namespace URLs must exist in some form in the library. [ECMA-376 Part 2](https://ecma-international.org/publications-and-standards/standards/ecma-376/) details the required XML namespace URLs. Unfortunately there is no HTML rendering, so you will need to download the ZIP file and extract to find the PDF. For example, Section 6.5.2 "Relationships part" defines the various `.rels` files in the XLSX file: ![i3312-relationships.png](/attachments/0dc47211-e7bb-4cb5-bd0c-5dda12835a75) The expected namespace, which must be included in the library, is a URL from the domain `http://schemas.openxmlformats.org/` **Who can resolve the issue?** According to the `whois` data, `openxmlformats.org` was registered in 2005 by the Microsoft Corporation: ``` Domain Name: openxmlformats.org Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR ... Updated Date: 2024-10-26T05:05:39Z Creation Date: 2005-10-25T20:06:53Z Registry Expiry Date: 2025-10-25T20:06:53Z ... Registrant Organization: Microsoft Corporation ``` Ultimately the only party that can fix the problem is Microsoft.
i3312-relationships.png
101 KiB
sheetjs pinned this 2025-07-08 03:25:04 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
DBF

   
Dates

   
Defined Names

   
Features

   
Formula

   
HTML

   
Images

   
Infrastructure

   
Integration

   
International

   
ODS

   
Operations

   
Performance

   
PivotTables

   
Pro

   
Protection

   
Read Bug

   
SSF

   
SYLK

   
Style

   
Write Bug

   
good first issue
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#3312
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?