CVE-2023-7101 Overview
CVE-2023-7101 is an arbitrary code execution vulnerability affecting Spreadsheet::ParseExcel version 0.65, a widely-used Perl module for parsing Excel files. The vulnerability exists due to the module passing unvalidated input from Excel files directly into a string-type eval statement. Specifically, the flaw is triggered during the evaluation of Number format strings within the Excel parsing logic, allowing attackers to inject and execute arbitrary Perl code when a maliciously crafted Excel file is processed.
This vulnerability is particularly dangerous because Spreadsheet::ParseExcel is a dependency for numerous Perl applications and scripts that handle Excel file uploads or processing, potentially exposing backend systems to remote code execution through seemingly innocuous spreadsheet files.
Critical Impact
This vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation in the wild. Attackers can achieve arbitrary code execution by crafting malicious Excel files that exploit the unsafe eval of Number format strings.
Affected Products
- Spreadsheet::ParseExcel (Perl module) version 0.65 and earlier
- Debian Linux 10.0
- Fedora 38 and 39
Discovery Timeline
- December 24, 2023 - CVE-2023-7101 published to NVD
- December 29, 2023 - Security discussion posted to Openwall OSS-Security mailing list
- October 24, 2025 - Last updated in NVD database
Technical Details for CVE-2023-7101
Vulnerability Analysis
The vulnerability resides in the Spreadsheet/ParseExcel/Utility.pm module, specifically in the code responsible for handling conditional formatting within Excel Number format strings. The original implementation used a Perl string eval to process conditional expressions extracted from format strings. Since these format strings are read directly from the Excel file without proper sanitization, an attacker can embed malicious Perl code within the conditional portion of a Number format string.
When the module parses an Excel file containing a crafted format string, the malicious payload is passed directly to eval, resulting in arbitrary code execution with the privileges of the Perl process. This attack requires user interaction (opening/processing a malicious Excel file), but once triggered, provides complete code execution capabilities.
Root Cause
The root cause is the use of Perl's string eval function to evaluate user-controlled input without proper sanitization. The vulnerable code extracts conditional expressions from Excel Number format strings using a regular expression and then evaluates them directly. The format string [<>=condition] syntax was intended for numeric comparisons but accepted arbitrary content that would be passed to eval. This represents a classic code injection vulnerability (CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code, CWE-94: Improper Control of Generation of Code).
Attack Vector
The attack requires local access where a user must be convinced to open or process a maliciously crafted Excel file. Exploitation scenarios include:
- Email attachments - Sending malicious Excel files as email attachments to users who process them with Perl scripts using Spreadsheet::ParseExcel
- File upload applications - Web applications that accept Excel uploads and parse them server-side using the vulnerable module
- Automated processing pipelines - Systems that automatically process Excel files from untrusted sources
The attacker crafts an Excel file with a malicious Number format string containing Perl code in the conditional expression field. When parsed, this code executes in the context of the Perl interpreter.
# Security patch in lib/Spreadsheet/ParseExcel/Utility.pm
# Do not use string eval for conditional formatting
$format_str = '@' if uc($format_str) eq "GENERAL";
# Check for a conditional at the start of the format. See notes above.
- my $conditional;
- if ( $format_str =~ /^\[([<>=][^\]]+)\](.*)$/ ) {
- $conditional = $1;
- $format_str = $2;
+ my $conditional_op;
+ my $conditional_value;
+ if ( $format_str =~ /^\[([<>=]+)([^\]]+)\](.*)$/ ) {
+ $conditional_op = $1;
+ $conditional_value = $2;
+ $format_str = $3;
}
# Ignore the underscore token which is used to indicate a padding space.
Source: GitHub Commit Update
Detection Methods for CVE-2023-7101
Indicators of Compromise
- Unusual Perl process behavior or unexpected child processes spawned during Excel file processing
- Network connections initiated by Perl scripts that normally only perform local file operations
- Suspicious Excel files with abnormal Number format strings containing Perl code patterns (backticks, system(), exec())
- Log entries showing errors or exceptions in Spreadsheet::ParseExcel during file processing
Detection Strategies
- Monitor for unusual process execution chains originating from Perl interpreters, particularly when processing Excel files
- Implement file inspection rules to detect Excel files with suspicious format string patterns before processing
- Deploy endpoint detection to identify code injection attempts through Excel parsing operations
- Use application-level logging to capture format string contents during Excel processing for forensic analysis
Monitoring Recommendations
- Enable verbose logging in applications using Spreadsheet::ParseExcel to capture processing events
- Monitor system calls made by Perl processes handling file uploads or Excel processing tasks
- Implement network segmentation for systems that process untrusted Excel files to limit lateral movement potential
- Review CISA KEV alerts and threat intelligence feeds for indicators related to CVE-2023-7101 exploitation
How to Mitigate CVE-2023-7101
Immediate Actions Required
- Update Spreadsheet::ParseExcel to the latest patched version immediately on all affected systems
- Audit all Perl applications and scripts to identify dependencies on Spreadsheet::ParseExcel
- Implement input validation and sandboxing for any systems that process Excel files from untrusted sources
- Review recent Excel file processing logs for signs of exploitation attempts
Patch Information
The vulnerability has been addressed by the maintainer through commit bd3159277e745468e2c553417b35d5d7dc7405bc. The fix modifies the conditional format string parsing to separate the operator and value components rather than passing the entire expression to eval. Linux distributions including Debian and Fedora have released updated packages addressing this vulnerability.
For detailed patch information, refer to:
Workarounds
- If immediate patching is not possible, consider temporarily disabling Excel file processing functionality or blocking Excel file uploads
- Implement strict file type validation to ensure only legitimate Excel files are processed
- Run Perl processes that handle Excel files in sandboxed or containerized environments with minimal privileges
- Consider using alternative Excel parsing libraries that do not use unsafe eval patterns
# Check installed Spreadsheet::ParseExcel version
perl -MSpreadsheet::ParseExcel -e 'print $Spreadsheet::ParseExcel::VERSION'
# Update via CPAN to latest version
cpan Spreadsheet::ParseExcel
# For Debian systems
sudo apt update && sudo apt upgrade libspreadsheet-parseexcel-perl
# For Fedora systems
sudo dnf update perl-Spreadsheet-ParseExcel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
