CVE-2017-5992 Python CVE debrief

Who should care

Teams using Python applications with openpyxl to ingest .xlsx files, especially file-upload services, document processing pipelines, data import jobs, and any environment that may open spreadsheets from untrusted sources.

Technical summary

NVD maps the affected product as openpyxl 2.4.1 and identifies CWE-611. The reported behavior is that external entities are resolved by default when handling a crafted .xlsx document, which can lead to XXE outcomes. The CVSS vector provided by NVD is AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H, reflecting the need for user interaction and the potential for confidentiality and availability impact.

Defensive priority

High. Prioritize remediation if openpyxl is used to process attacker-controlled or externally sourced spreadsheets, or if spreadsheet uploads can reach automated back-end parsing.

Recommended defensive actions

• Verify whether your application or environment uses openpyxl 2.4.1 for .xlsx parsing.
• Apply the upstream fix referenced in the openpyxl issue and commit records, or upgrade to a non-vulnerable release confirmed by the project.
• Review spreadsheet ingestion paths to ensure untrusted files are not parsed with XML entity resolution enabled.
• Add safeguards for file-upload and import workflows, including allowlisting, sandboxing, and limiting who can submit spreadsheets.
• Monitor for unexpected outbound network access or file access from spreadsheet-processing components.

Evidence notes

The CVE record and NVD detail identify openpyxl 2.4.1 as vulnerable and classify the weakness as CWE-611. Supporting references in the record include an oss-security disclosure thread, an openpyxl commit, an openpyxl issue, and a Debian bug report. The CVE was published on 2017-02-15, and the NVD record was last modified on 2026-05-13. The supplied source corpus does not include a fixed version number, so remediation is phrased conservatively around the upstream fix and version verification.

Official resources