About EPPlus
EPPlus is a .NET class library for reading and writing Excel spreadsheet files in the Office Open XML format. It is distributed as a NuGet package containing signed assemblies for multiple .NET target frameworks and is intended to be used as a component inside customer-built applications.
How EPPlus runs
EPPlus has no runtime of its own. It is a library that is loaded into a host application's process and executes entirely within that process. This has the following consequences for its security profile:
- EPPlus does not run in its own process. It runs as in-process code within the application that references it.
- EPPlus does not manage its own database or persistent storage. Any file or data handling is performed on behalf of the host application.
- EPPlus does not make network calls. All file I/O is local to the host process.
- EPPlus has no authentication or authorization mechanism. It does not identify users, issue credentials, or control access.
- EPPlus has no infrastructure of its own — no servers, no cloud services, no hosted endpoints.
- Penetration testing is meaningful only in the context of a host application, because EPPlus exposes no standalone runtime or network surface. Meaningful security testing happens at the level of the host application that uses EPPlus.
What this means for security assessments
Many standard security questionnaires are designed for SaaS products or network services. Questions about TLS configuration, access logging, user provisioning, infrastructure hardening, or runtime monitoring do not apply to EPPlus, because EPPlus does not provide any of those surfaces.
The security concerns that do apply to EPPlus are addressed in other sections of this site:
- Release integrity — see Code Signing for how to verify that a release has not been tampered with.
- Dependency integrity — see the Software Bill of Materials for the full component inventory of each release.
- Known vulnerabilities — see Vulnerability Disclosures for disclosed issues and our assessments.
Secure development practices
EPPlus is developed under a set of practices intended to catch defects — including security-relevant defects — early:
- All code changes are made through pull requests and must be reviewed and approved by another member of the EPPlus team before being merged. This process is public and takes place in the EPPlus GitHub repository.
- Every change runs through thousands of unit tests as part of our CI/CD pipeline before release.
- Source code is analyzed on every push by GitHub CodeQL. See Source Code Scanning for details.
- Dependencies are continuously scanned for known vulnerabilities. See Vulnerability Scanning for details.
Responsibility boundary
Because EPPlus runs inside the host application's process, responsibility for the overall security posture is shared. EPPlus Software AB is responsible for what is inside the library — the correctness of the code, the integrity of released artifacts, and the timely handling of reported vulnerabilities. The host application is responsible for everything around the library — the runtime environment, the users who access it, and the data that is passed to it for processing.
Host application responsibilities
- Deciding whether a file is trusted or untrusted before passing it to EPPlus.
- Applying resource limits (memory, CPU, processing time) at the process level.
- Authenticating and authorizing users of the host application.
- Operating the infrastructure on which the host application runs.
EPPlus Software AB responsibilities
- The correctness and security of the library code itself.
- Handling of well-formed and malformed input files within documented limits.
- Timely remediation of reported vulnerabilities in accordance with our Vulnerability Disclosure Policy.
- Maintaining supply chain integrity through code signing and published SBOMs.