Cyber Resilience

CVE-2023-7101

HighCISA KEVActive ExploitationEUVD Exploited

Published: 24 December 2023

Published
24 December 2023
Modified
24 October 2025
KEV Added
02 January 2024
Patch
29 December 2023
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5779 98.2th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-7101 is a high-severity Eval Injection (CWE-95) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Spreadsheet::ParseExcel version 0.65 is a Perl module for parsing Excel files that contains an arbitrary code execution vulnerability. The flaw arises when unvalidated Number format strings from an input file are passed directly into a string-type eval call within the parsing logic, enabling injection of Perl code. The issue is tracked under CWE-95 and CWE-94 and carries a CVSS 3.1 score of 7.8 reflecting local access, low attack complexity, no privileges required, and user interaction via a malicious file.

An attacker can supply a crafted Excel document that, when opened or processed by an application using the vulnerable module, executes arbitrary Perl code under the privileges of the calling process. Successful exploitation yields full control over confidentiality, integrity, and availability on the affected system.

Public references point to a fix committed in the upstream repository that sanitizes format strings before evaluation. Additional disclosures from Mandiant and oss-security lists describe the same root cause and recommend upgrading to a patched release once available.

EPSS for the CVE rose from lower values after disclosure to a peak of 0.8590 on 2025-12-11 before receding to the current 0.5779, indicating that exploitation interest increased measurably in the months following publication.

EU & UK References

Vulnerability details

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the…

more

evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

CWE(s)
KEV Date Added
02 January 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Arbitrary code execution triggered by parsing malicious Excel files with crafted number format strings enables exploitation of public-facing applications (e.g., email gateways processing attachments) or client software using the vulnerable module.

Affected Assets

jmcnamara
spreadsheet\
\
debian
debian linux
10.0
fedoraproject
fedora
38, 39

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted Number format strings from Excel files before they reach the unsafe eval in ParseExcel::Utility.

prevent

Mandates prompt application of the published patch that removes the eval of format strings from Spreadsheet::ParseExcel.

preventdetect

Can block or alert on the malicious Excel file before the Perl parser executes attacker-supplied code.

References