CVE-2019-5032/5033/5041: Aspose Remote Code Execution Vulnerability Alert

Aspose Remote Code Execution

Recently, the Cisco Talos team released several technical analysis that Aspose.cells and Aspose.words in Aspose products have remote code execution vulnerabilities. Attackers can make a malicious file to exploit related vulnerabilities and remotely execute code after user triggers.

Vulnerability summary

Aspose.Cells Code Execution Vulnerability


CVSS 3.0 : 9.8

An out-of-bounds read vulnerability exists in the LabelSst record parser in the Aspose.Cells library, which can be triggered by an attacker using a special XLS file, resulting in remote code execution. The user’s action is required to successfully exploit the vulnerability.


CVSS 3.0 : 9.8

This vulnerability is similar to CVE-2019-5032.

  • Affected version

Aspose.Cells 19.1.0

For details, please refer to:

Aspose.Words code execution vulnerability


A stack overflow vulnerability exists in the EnumMetaInfo function of version of the Aspose Aspose.Words library. A specially crafted doc file can cause a stack overflow, which can result in remote code execution. An attacker needs a file tailored to the victim to trigger this vulnerability.

  • Affected version:


For details, please refer to:


According to the researcher’s instructions, Aspose officials have not responded to the above vulnerabilities, nor have they released relevant patches to fix the above vulnerabilities.