CVE-2023-7101
Published: 24 December 2023
Summary
CVE-2023-7101 is a high-severity Eval Injection (CWE-95) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Spreadsheet::ParseExcel version 0.65 is a Perl module for parsing Excel files that contains an arbitrary code execution vulnerability. The flaw arises when unvalidated Number format strings from an input file are passed directly into a string-type eval call within the parsing logic, enabling injection of Perl code. The issue is tracked under CWE-95 and CWE-94 and carries a CVSS 3.1 score of 7.8 reflecting local access, low attack complexity, no privileges required, and user interaction via a malicious file.
An attacker can supply a crafted Excel document that, when opened or processed by an application using the vulnerable module, executes arbitrary Perl code under the privileges of the calling process. Successful exploitation yields full control over confidentiality, integrity, and availability on the affected system.
Public references point to a fix committed in the upstream repository that sanitizes format strings before evaluation. Additional disclosures from Mandiant and oss-security lists describe the same root cause and recommend upgrading to a patched release once available.
EPSS for the CVE rose from lower values after disclosure to a peak of 0.8590 on 2025-12-11 before receding to the current 0.5779, indicating that exploitation interest increased measurably in the months following publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59285
Vulnerability details
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the…
more
evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
- CWE(s)
- KEV Date Added
- 02 January 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary code execution triggered by parsing malicious Excel files with crafted number format strings enables exploitation of public-facing applications (e.g., email gateways processing attachments) or client software using the vulnerable module.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted Number format strings from Excel files before they reach the unsafe eval in ParseExcel::Utility.
Mandates prompt application of the published patch that removes the eval of format strings from Spreadsheet::ParseExcel.
Can block or alert on the malicious Excel file before the Perl parser executes attacker-supplied code.