EPPlus 5 and 6 are automatically scanned for vulnerabilities and static code analysis is performed as part of the CI. Security patches will be provided via new revisions released in our public Nuget feed.
| Version | Supported | Comment |
|---|---|---|
| 6.x.x | ✅ | |
| 5.x.x | ✅ | |
| < 4.3 | ❌ | Deprecated/unsupported versions |
Create an issue in our issue tracker, describe the vulnerability (including relevant links) and what version of EPPlus that is affected.
| Detected | Resolved | Affected EPPlus versions | CVE | Our comment | Resolution |
|---|---|---|---|---|---|
| June 15, 2023 | June 15, 2023 | EPPlus 6.x prior to 6.2.6, targeting .NET 6 or 7. | .NET Denial of Service vulnerability (CVE 2023-29331) | Microsoft has released a security fix for a Denial of Service vulnerability (CVE-2023-29331) in System.Security.Cryptography.Pkcs for .NET 6 and .NET 7. EPPlus uses this component for x509 certificates used when signing VBA projects in a workbook. The potential risk for most users should be low, as the certificates used to sign your workbooks are usually known. | Upgrade to EPPlus 6.2.6 or higher |