CVE-2024-53924
📋 TL;DR
Pycel versions up to 1.0b30 allow remote code execution when processing untrusted Excel spreadsheets containing malicious formulas. Attackers can craft formulas that execute arbitrary Python code on the server. This affects any application using Pycel to parse user-uploaded spreadsheets.
💻 Affected Systems
- Pycel
📦 What is this software?
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
Pycel by Dgorissen
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary commands, install malware, steal data, or pivot to other systems.
Likely Case
Remote code execution leading to data theft, system manipulation, or deployment of ransomware.
If Mitigated
Limited impact if proper input validation and sandboxing prevent formula execution.
🎯 Exploit Status
Proof-of-concept available in GitHub gist showing formula injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider workarounds or alternative libraries.
🔧 Temporary Workarounds
Disable formula evaluation
allConfigure Pycel to not evaluate formulas in untrusted spreadsheets
Set formula_evaluation=False when initializing Pycel
Input sanitization
allStrip or block formulas from user-uploaded spreadsheets before processing
Implement pre-processing to remove cells starting with '='
🧯 If You Can't Patch
- Isolate Pycel processing in sandboxed containers with minimal privileges
- Implement strict file upload validation rejecting spreadsheets with formulas
🔍 How to Verify
Check if Vulnerable:
Check Pycel version with pip show pycel or examine requirements.txt for version <=1.0b30Check Version:
pip show pycel | grep VersionVerify Fix Applied:
Test with malicious spreadsheet containing =IF(A1=200, eval("__import__('os').system('id')")) formula📡 Detection & Monitoring
Log Indicators:
- Python eval() or exec() calls in Pycel logs
- Unexpected system commands from Python process
Network Indicators:
- Outbound connections from Pycel process to unexpected destinations
SIEM Query:
process:pycel AND (command:eval OR command:exec OR command:system)