CVE-2024-23525: 
Linux Debian vulnerability analysis and mitigation

The Spreadsheet::ParseXLSX package before version 0.30 for Perl contains an XML External Entity (XXE) vulnerability identified as CVE-2024-23525. The vulnerability was discovered in January 2024 and exists because the package neglects to use the no_xxe option of XML::Twig, making it susceptible to XXE attacks when parsing XLSX files (NVD, Security MetaCPAN).

The vulnerability stems from the package's default configuration when parsing XLSX files. When calling Spreadsheet::ParseXLSX->new()->parse('user_input_file.xlsx'), the module fails to enable the no_xxe option in XML::Twig, which would prevent XXE attacks. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and requiring user interaction (NVD).

The vulnerability allows attackers to perform XML external entity injection attacks through crafted XLSX files. This could lead to unauthorized access to system files, potential denial of service conditions, or server-side request forgery when parsing maliciously crafted spreadsheet files (Security MetaCPAN).

The vulnerability has been fixed in Spreadsheet::ParseXLSX version 0.30, released on January 17, 2024. Users are strongly advised to upgrade to this version or later. The fix properly implements the no_xxe option in XML::Twig to prevent XXE attacks (MetaCPAN Changes, OSS Security).

The vulnerability was responsibly disclosed and quickly addressed by the maintainer Michael Daum. Debian and other distributions have released security updates to address this vulnerability in their packages. Debian released DLA 3723-1 to provide fixes for their supported releases (Debian LTS).