gitsafehub
github.com/alibaba/easyexcel ↗

alibaba/easyexcel

scanned 2026-05-27 · git aae9c61
2 of 6 checks flagged a security issue
🔴 Needs attention
6 checks ran. Start with vulnerable dependencies below.

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies151Known OSS vulnerabilities79Risky code patternsMalicious dependenciesProject health11

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 151 found · 10 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2025-24813 Path Equivalence: 'file.Name' (Internal Dot) leading toRemote Code Exe ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2025-24813). Fix: Update that package to its patched version.
  • Serious CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2026-41293). Fix: Update that package to its patched version.
  • Serious CVE-2026-43512 DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2026-43512). Fix: Update that package to its patched version.
  • Serious CVE-2026-43515 Improper Authorization vulnerability when multiple method constraints ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2026-43515). Fix: Update that package to its patched version.
  • Serious CVE-2016-1000027 spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2016-1000027). Fix: Update that package to its patched version.
  • Serious CVE-2025-24813 Path Equivalence: 'file.Name' (Internal Dot) leading toRemote Code Exe ...
    pom.xml
    A package you depend on has a known security hole (CVE-2025-24813). Fix: Update that package to its patched version.
  • Serious CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue ...
    pom.xml
    A package you depend on has a known security hole (CVE-2026-41293). Fix: Update that package to its patched version.
  • Serious CVE-2026-43512 DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...
    pom.xml
    A package you depend on has a known security hole (CVE-2026-43512). Fix: Update that package to its patched version.
  • Serious CVE-2026-43515 Improper Authorization vulnerability when multiple method constraints ...
    pom.xml
    A package you depend on has a known security hole (CVE-2026-43515). Fix: Update that package to its patched version.
  • Serious CVE-2016-1000027 spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization
    pom.xml
    A package you depend on has a known security hole (CVE-2016-1000027). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-25710 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...
    easyexcel-core/pom.xml
    A package you depend on has a known security hole (CVE-2024-25710). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-26308 Allocation of Resources Without Limits or Throttling vulnerability in ...
    easyexcel-core/pom.xml
    A package you depend on has a known security hole (CVE-2024-26308). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-31672 Improper Input Validation vulnerability in Apache POI. The issue affec ...
    easyexcel-core/pom.xml
    A package you depend on has a known security hole (CVE-2025-31672). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-41249 The Spring Framework annotation detection mechanism may not correctly ...
    easyexcel-support/pom.xml
    A package you depend on has a known security hole (CVE-2025-41249). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-12798 ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2024-12798). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-11226 QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2025-11226). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-51074 json-path: stack-based buffer overflow in Criteria.parse method
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2023-51074). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2023-1370). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-25710 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2024-25710). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-26308 Allocation of Resources Without Limits or Throttling vulnerability in ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2024-26308). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-31672 Improper Input Validation vulnerability in Apache POI. The issue affec ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2025-31672). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-34750 Improper Handling of Exceptional Conditions, Uncontrolled Resource Con ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2024-34750). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-50379 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2024-50379). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-56337 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apa ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2024-56337). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-48988 Allocation of Resources Without Limits or Throttling vulnerability in ...
    easyexcel-test/pom.xml
    A package you depend on has a known security hole (CVE-2025-48988). Fix: Update that package to its patched version.
… 126 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 79 found · 5 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-5m62-pw8w-7w9f Apache Tomcat - Security constraints not correctly applied
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-83qj-6fr2-vhqg Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-h6fc-48rj-7qqh Apache Tomcat - Digest authenticator will authenticate any unknown user
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-r29c-68gh-xp6x Apache Tomcat - HTTP/2 request headers not validated
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-4wrc-f8pq-fpqp Pivotal Spring Framework contains unsafe Java deserialization methods
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-jmp9-x22r-554x Spring Framework annotation detection mechanism may result in improper authorization
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-support/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-h46c-h94j-95f3 jackson-core can throw a StackoverflowError when processing deeply nested data
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-493p-pfq6-5258 json-smart Uncontrolled Recursion vulnerability
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-25xr-qj8w-c4vf Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-27hp-xhwr-wr2m Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-563x-q5rq-57qp Apache Tomcat has an HTTP Request/Response Smuggling vulnerability
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-5j33-cvvr-w245 Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-5mp6-jrq3-r938 Apache Tomcat: LockOutRealm treats user names as case-sensitive
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv25-8xcx-gqjc Apache Tomcat - WebSocket authentication header exposure
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-gqp3-2cvr-x8m3 Apache Tomcat Improper Resource Shutdown or Release vulnerability
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-gx5v-xp9w-j4cg Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-h3gc-qfqq-6h8f Apache Tomcat - DoS in multipart upload
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-mgp5-rv84-w37q Apache Tomcat has an Improper Input Validation vulnerability
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-rv64-5gf8-9qq8 Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-wm9w-rjj3-j356 Apache Tomcat - Denial of Service
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-wmwf-9ccg-fff5 Apache Tomcat Vulnerable to Relative Path Traversal
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-wr62-c79q-cv37 Apache Tomcat Catalina is vulnerable to DoS attack through bypassing of size limits
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-x4m4-345f-5h5g Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-rqfh-9r24-8c9r AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-rc42-6c7j-7h5r Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed
    /workdirs/scan-fd048ca6-c1f2-4315-baa0-40556e280e9e/easyexcel-test/pom.xml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 54 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 11 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 3.4/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 8 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 0/8 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: project is archived
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Vulnerabilities Vulnerabilities scored 0: 71 existing vulnerabilities detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.