Last updated: 2024-08-14
EPPlus 5, 6 and 7 are automatically scanned for vulnerabilities and static code analysis is performed as part of the CI.
Version | Supported | Comment | Deprecation date |
---|---|---|---|
7.x.x | ✅ | ||
6.x.x | ✅ | 2025-12-31 | |
5.x.x | ✅ | 2024-12-31 | |
< 4.3 | ❌ | Deprecated/unsupported versions | 2020-12-31 |
Security patches will be provided via new revisions released in our public Nuget feed. One patch for each supported major version/the two latest minor versions will be provided. Subscribe to our newsletter to get updates from EPPlus Software.
Create an issue in our issue tracker, describe the vulnerability (including relevant links) and what version of EPPlus that is affected.
Since version 7.5 the EPPlus Nuget package and the EPPlus libraries/dll:s are digitally signed by EPPlus Software AB.
Detected | Resolved | Affected EPPlus versions | CVE | Our comment | Resolution |
---|---|---|---|---|---|
October 10, 2024 | October 11, 2024 | EPPlus 7.x,targeting .NET 7 or 8 | Microsoft Security Advisory CVE-2024-38095 and Microsoft Security Advisory CVE-2024-30105 | Microsoft has released a security fix in Microsoft.Extensions.Configuration.Json 8.0.1. The potential risk for most users should be low. | Patch released in version 7.4.1 |
September 9, 2024 | EPPlus 7.x, targeting .NET 7 or 8 | Microsoft Security Advisory CVE-2024-38095 and Microsoft Security Advisory CVE-2024-30105 | Microsoft has released security fixes for System.Text.Json and System.Formats.Asn1 (transient dependencies in EPPlus). The potential risk for most users should be low. | Patch released in version 7.3.2 | |
June 15, 2023 | June 15, 2023 | EPPlus 6.x prior to 6.2.6, targeting .NET 6 or 7. | .NET Denial of Service vulnerability (CVE 2023-29331) | Microsoft has released a security fix for a Denial of Service vulnerability (CVE-2023-29331) in System.Security.Cryptography.Pkcs for .NET 6 and .NET 7. EPPlus uses this component for x509 certificates used when signing VBA projects in a workbook. The potential risk for most users should be low, as the certificates used to sign your workbooks are usually known. | Upgrade to EPPlus 6.2.6 or higher |