Sun. Feb 23rd, 2020

CVE-2019-5032/5033/5041: Aspose Remote Code Execution Vulnerability Alert

1 min read

Recently, the Cisco Talos team released several technical analysis that Aspose.cells and Aspose.words in Aspose products have remote code execution vulnerabilities. Attackers can make a malicious file to exploit related vulnerabilities and remotely execute code after user triggers.

Vulnerability summary

Aspose.Cells Code Execution Vulnerability


CVSS 3.0 : 9.8

An out-of-bounds read vulnerability exists in the LabelSst record parser in the Aspose.Cells library, which can be triggered by an attacker using a special XLS file, resulting in remote code execution. The user’s action is required to successfully exploit the vulnerability.


CVSS 3.0 : 9.8

This vulnerability is similar to CVE-2019-5032.

  • Affected version

Aspose.Cells 19.1.0

For details, please refer to:

Aspose.Words code execution vulnerability


A stack overflow vulnerability exists in the EnumMetaInfo function of version of the Aspose Aspose.Words library. A specially crafted doc file can cause a stack overflow, which can result in remote code execution. An attacker needs a file tailored to the victim to trigger this vulnerability.

  • Affected version:


For details, please refer to:


According to the researcher’s instructions, Aspose officials have not responded to the above vulnerabilities, nor have they released relevant patches to fix the above vulnerabilities.